Skip to content

Commit d533341

Browse files
authored
feat: harden schema validators (#1396)
<!--🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅 You can expedite processing of your PR by using this template to provide context and additional information. Before actually opening a PR please make sure that it does NOT fall into any of the following categories 🚫 Spam PRs (accidental or intentional) - these will result in a 30-days or even ∞ ban from interacting with the project depending on reoccurrence and severity. 🚫 Lazy typo fixing PRs - if you fix a typo in a file, your PR will only be merged if all other typos in the same file are also fixed with the same PR 🚫 If you fail to provide any _Description_ below, your PR will be considered spam. If you do not check the _Affirmation_ box below, your PR will not be merged. 🚫 If you do not check one of the _AI Tool Disclosure_ boxes below, your PR will not be merged. If you used AI tools to assist you in writing code, but fail to provide the required disclosure, your PR will not be merged. 🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅--> ### Description <!-- ✍️--> harden schema validators Resolves or fixes issue: <!-- ✍️ Add GitHub issue number in format `#0000` or `none` --> ### AI Tool Disclosure - [x] My contribution does not include any AI-generated content - [ ] My contribution includes AI-generated content, as disclosed below: - AI Tools: `[e.g. GitHub CoPilot, ChatGPT, JetBrains Junie etc.]` - LLMs and versions: `[e.g. GPT-4.1, Claude Haiku 4.5, Gemini 2.5 Pro etc.]` - Prompts: `[Summarize the key prompts or instructions given to the AI tools]` ### Affirmation - [x] My code follows the [CONTRIBUTING.md](https://github.com/CycloneDX/cyclonedx-javascript-library/blob/main/CONTRIBUTING.md) guidelines --------- Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>
1 parent aa8ddb1 commit d533341

3 files changed

Lines changed: 7 additions & 4 deletions

File tree

HISTORY.md

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -68,6 +68,7 @@ All notable changes to this project will be documented in this file.
6868
* Constructor of `Contrib.License.Factories.LicenseFactory` got an injectable argument `spdxExpressionValidate` for validating SPDX License Expressions ([#1348] via [#1382])
6969
Suggested implementation is `spdx-expression-parse`.
7070
* Pulled SPDX license IDs v1.0-3.28.0 (via [#1395])
71+
* Hardened schema validators (via [#1396])
7172
* Dependencies
7273
* Dependency `packageurl-js` became a suggested (optional peer-dependency) library ([#1348] via [#1378])
7374
You may use it to craft and parse PackageURLs downstream.
@@ -85,6 +86,7 @@ All notable changes to this project will be documented in this file.
8586
[#1380]: https://github.com/CycloneDX/cyclonedx-javascript-library/pull/1380
8687
[#1382]: https://github.com/CycloneDX/cyclonedx-javascript-library/pull/1382
8788
[#1395]: https://github.com/CycloneDX/cyclonedx-javascript-library/pull/1395
89+
[#1396]: https://github.com/CycloneDX/cyclonedx-javascript-library/pull/1396
8890

8991
## 9.5.0 -- 2026-03-02
9092

src/_optPlug.node/__jsonValidators/ajv.ts

Lines changed: 4 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -27,13 +27,14 @@ import addFormats2019 from 'ajv-formats-draft2019'
2727
import type { ValidationError } from '../../validation/types'
2828
import type { Functionality, Validator } from '../jsonValidator'
2929

30-
const ajvOptions: AjvOptions = Object.freeze({
30+
const ajvOptions: Readonly<AjvOptions> = Object.freeze({
3131
// no defaults => no data alteration
3232
useDefaults: false,
3333
strict: false,
3434
strictSchema: false,
35-
addUsedSchema: false
36-
})
35+
addUsedSchema: false,
36+
loadSchema: (uri: string) => { throw new Error(`Remote schemas are disabled: ${uri}`) }
37+
} satisfies AjvOptions)
3738

3839
/** @internal */
3940
export default (async function (schemaPath: string, schemaMap: Record<string, string> = {}): Promise<Validator> {

src/_optPlug.node/__xmlValidators/libxmljs2.ts

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -34,7 +34,7 @@ const xmlParseOptions: Readonly<ParserOptions> = Object.freeze({
3434
// see https://github.com/CycloneDX/cyclonedx-javascript-library/issues/1061
3535
noent: false,
3636
dtdload: false
37-
})
37+
} satisfies ParserOptions)
3838

3939
/** @internal */
4040
export default (async function (schemaPath: string): Promise<Validator> {

0 commit comments

Comments
 (0)