view release on metacpan or  search on metacpan

Changes  view on Meta::CPAN

Revision history for Perl extension JSON::XS

TODO: maybe detect and croak on more invalid inputs (e.g. +-inf/nan)
TODO: maybe avoid the reblessing and better support readonly objects.
TODO: how to cope with tagged values and standard json decoders
TODO: investigate magic (Eric Brine)
TODO: [PATCH] Types::Serialiser: Inline true(), false() and error() functions
TODO: replace bool_stash by BOOL_STASH seems to work with mod_perl, make a compile time option?
TODO: https://github.com/ulfjack/ryu https://lemire.me/blog/2020/03/10/fast-float-parsing-in-practice/ / https://github.com/lemire/fast_double_parser

TODO: validate_utf8, apparewntly some people confuse themselves.
TODO: security considerations
TODO: perl 5.36 has builtin::true/false/is_bool. Not sure how to integrate those.

4.04 Fri 05 Sep 2025 23:59:48 CEST
        - fix heap overflow causing crashes, possibly information
          disclosure or worse (CVE-2025-40928), and causes JSON::XS to
          accept invalid JSON texts as valid in some cases. Thanks to
          Michael Hudak for finding this, the CPAN Security Group for
          coordinating this, and Reini Urban for double-checking the patch
          (and Peter Juhasz for potentially reporting this much earlier).

4.03 Tue Oct 27 19:05:01 CET 2020
	- when parsing comments in relaxed mode, JSON::XS would detect garbage
          after the JSON text if the comment is after the end and does not end in
          a newline (reported by Felipe Gasper).

4.02 Wed Mar  6 08:31:24 CET 2019
	- undo the fix from 4.01, it breaks more things than it fixes
          (another testcase by Wesley Schwengle).
        - try a proper fix this time.

4.01 Sun Feb 24 05:03:30 CET 2019
	- fix some stack corruption caused mostly when calling methods
          in list context (testcase by Wesley Schwengle).

4.0  Fri Nov 16 00:06:54 CET 2018
	- SECURITY IMPLICATION: this release enables allow_nonref by default
          for compatibility with RFC 7159 and newer. See "old" vs. "new"
          JSON under SECURITY CONSIDERATIONS.
        - reworked the "old" vs. "new" JSON section.
        - add ->boolean_values to provide the values to which booleans
          decode (requested by Aristotle Pagaltzis).
        - decode would wrongly accept ASCII NUL characters instead of
          reporting them as trailing garbage.
        - work around what smells like a perl bug w.r.t. exceptions
          thrown in callbacks.
        - incremental parser now more or less respects allow_nonref.
	- json_xs json-pretty now enables canonical mode.
        - add documentation section about I-JSON.
        - minor documentation fixes/updates.

3.04 Thu Aug 17 04:30:47 CEST 2017
	- change exponential realloc algorithm on encoding and string decoding to be
          really exponential (this helps slow/debugging allocators such as libumem)
          (reported by Matthew Horsfall).
        - string encoding would needlessly overallocate output space
          (testcase by Matthew Horsfall).
        - be very paranoid about extending buffer lengths and croak if buffers get too large,
          which might (or might not) improve security.
	- add cbor-packed type to json_xs.
        - switch from YAML to YAML::XS in json_xs, as YAML is way too buggy and outdated.

3.03 Wed Nov 16 20:20:59 CET 2016
	- fix a bug introduced by a perl bug workaround that would cause
          incremental parsing to fail with a sv_chop panic.
	- json_xs: toformat failure error message fixed.
        - json_xs: allow cyclic data structures in CBOR.

3.02 Fri Feb 26 22:45:20 CET 2016
	- allow_nonref now affects booleans (\1, $Types::Serialiser::Boolean)
          as well (reported by Alex Efros).
	- allow literal tabs in strings in relaxed mode (patch by
          lubo.rintel@gooddata.com).
	- support "cbor" format in json_xs tool.
	- support (and fix) calling encode and decode in list context
          (reported by Вадим Власов).
        - work around a bug in older perls crashing when presented
          with shared hash keys (Reini Urban).
        - use stability canary.

3.01 Tue Oct 29 16:55:15 CET 2013
	- backport to perls < 5.18 (reported by Paul Howarth).

3.0  Tue Oct 29 01:35:37 CET 2013
        - implemented an object tagging extension (using the
          Types::Serialiser serialisation protocol).
        - reworked the documentation regarding object serialisation,
          add a new OBJECT SERIALISATION section that explains th
          whole process.
        - new setting: allow_tags.
	- switch to Types::Serialiser booleans.
	- remove to_json/from_json.
        - other minor improvements to the documentation.

2.34 Thu May 23 11:30:34 CEST 2013
	- work around bugs in perl 5.18 breaking more than 100
          widely used modules, without a fix in sight because
          p5pers don't care about CPAN anymore.
	- when canonicalising, only allocate up to 64 hash key
          pointers on the stack. for larger hashes, use the heap,
          to avoid using too much stackspace.