chore(deps): pin dependency json [security]

[renovate]

Note

Mend has cancelled the proposed renaming of the Renovate GitHub app being renamed to mend[bot].

This notice will be removed on 2025-10-07.

---

This PR contains the following updates:

Package	Type	Update	Change	Age	Confidence
json	devDependencies	pin	^9.0.4 -> 9.0.6
json	devDependencies	major	9.0.6 -> 10.0.0

GitHub Vulnerability Alerts

CVE-2020-7712

This affects the package json before 10.0.0. It is possible to inject arbritary commands using the parseLookup function.

Add the preset :preserveSemverRanges to your config if you don't want to pin your dependencies.

---

Release Notes

trentm/json (json)

v10.0.0

Compare Source

• Backward incompatible and security-related change to parsing "lookup" strings.

  This version restricts the supported syntax for bracketed "lookup"
  strings to fix a possible
  vulnerability (CVE-2020-7712). With a carefully crafted lookup string,
  command injection was possible. See
  #​144 for a repro. If you use
  json (the CLI or as a node.js module) and run arbitrary user-provided
  strings as a "lookup", then you should upgrade.

  For the json CLI, a "lookup" string is the 'foo' in:

    echo ...some json... | json foo
  

  which allows you to lookup fields on the given JSON, e.g.:

    $ echo '{"foo": {"bar": "baz"}}' | json foo.bar
    baz
  

  If one of the lookup fields isn't a valid JS identifier, then the JS array
  notation is supported:

    $ echo '{"https://example.com": "my-value"}' | json '["https://example.com"]'
    my-value
  

  Before this change, json would effectively exec the string between the
  brackets as JS code such that things like the following were possible:

    $ echo '{"foo3": "bar"}' | json '["foo" + 3]'
    bar
  

  This change limits supported bracket syntax in lookups to a simple quoted
  string:

    ["..."]
    ['...']
    [`...`]      # no variable interpolation
  

  Otherwise generating an error of the form:

    json: error: invalid bracketed lookup string: "[\"foo\" + 3]" (must be of the form ['...'], ["..."], or [`...`])
  

---

Configuration

📅 Schedule: Branch creation - "" in timezone America/New_York, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

Test report for scratch-svg-renderer

  1 files  ±0   60 suites  ±0   0s ⏱️ ±0s
124 tests ±0  124 ✅ ±0  0 💤 ±0  0 ❌ ±0 
276 runs  ±0  275 ✅ ±0  1 💤 ±0  0 ❌ ±0 

Results for commit 791ce75. ± Comparison against base commit cdaabec.

♻️ This comment has been updated with latest results.

[github-actions]

Test report for scratch-render

  1 files  ±0   55 suites  ±0   2s ⏱️ -1s
209 tests ±0  209 ✅ ±0  0 💤 ±0  0 ❌ ±0 
279 runs  ±0  279 ✅ ±0  0 💤 ±0  0 ❌ ±0 

Results for commit 791ce75. ± Comparison against base commit cdaabec.

♻️ This comment has been updated with latest results.

[github-actions]

Test report for scratch-vm

    1 files  ±0    770 suites  ±0   1m 5s ⏱️ ±0s
1 686 tests ±0  1 686 ✅ ±0   0 💤 ±0  0 ❌ ±0 
4 891 runs  ±0  4 861 ✅ ±0  30 💤 ±0  0 ❌ ±0 

Results for commit 791ce75. ± Comparison against base commit cdaabec.

♻️ This comment has been updated with latest results.

[github-actions]

Test report for scratch-gui

  2 files  ±0   61 suites  ±0   9m 6s ⏱️ -34s
389 tests ±0  380 ✅ ±0  9 💤 ±0  0 ❌ ±0 
407 runs  ±0  398 ✅ ±0  9 💤 ±0  0 ❌ ±0 

Results for commit 791ce75. ± Comparison against base commit cdaabec.

♻️ This comment has been updated with latest results.