-
-
Notifications
You must be signed in to change notification settings - Fork 5.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Regression: query not supported #10594
Comments
Hi. As noted in #10553 (which you've presumably read) we've disabled script expressions in jsonpath queries to resolve an important security issue. This does remove some functionality that was previously available (e.g: filters using In terms of other ways to achieve this.. having a really quick look at https://github.com/Botspot/pi-apps-analytics/ it looks like it is a repo you contribute to and the json file you are parsing is the output of a GitHub workflow.
|
The latter option is not a solution we can work with. I assume for the first you mean something like this? {
"AbiWord": {
"Version": "",
"Description": "A free and open-source alternative to Microsoft Word. ",
"URL": "http://www.abisource.com/",
"Architecture": "package",
"Users": "5238"
},
"Alacritty Terminal": {
"Version": "",
"Description": "A fast, cross-platform, OpenGL terminal emulator",
"URL": "https://github.com/alacritty/alacritty",
"Architecture": "ARM32/ARM64",
"Users": "3672"
}
} ofc this format is different and I'll have to update all dependent projects (or create another file in the repo for this format and also still update any dependent projects that use the shield to use it). |
Yep. If you made a data file like that, then you could query it using
which would still work as they don't use script expressions. |
badges/shields cannot perform queries anymore badges/shields#10594 so a new format of the json is needed that does not require any queries to be used by external projects
Why not set |
I did have a look at the Here's a section from the JSONPath-Plus docs (I've made some small formatting changes for clarity):
so the first thing to note here is that https://nodejs.org/docs/latest-v20.x/api/vm.html#vm-executing-javascript There's a big red warning at the top saying
My reading of this is that we should not use |
Oh I see your point. Since |
So there's a few things to dig into here.
JSONPath-Plus isn't actively developed, but they do accept PRs for bugfixes and address security issues. For example, since we switched to version 9.0.0 in September there have been 10 releases including multiple security-related patches https://github.com/JSONPath-Plus/JSONPath/blob/main/CHANGES.md . So although they describe it as "not actively maintained" it is not completely abandoned.
Shields is a javascript application. Very decisively a javascript application, in fact. In the interests of keeping the deployment simple and the codebase maintainable by the current team, we don't really have the capacity to have bits of the application implemented in other languages.
Every JSONPath implementation has quirks and idiosyncrasies. I link to this a lot, but this table https://cburgmer.github.io/json-path-comparison/ does a very good job of demonstrating that there are many subtle implementation differences between every JSONPath implementation. This means that switching JSONPath implementations entails some level of switching cost for users. The main thing under discussion in this particular thread is the fact that we disabled script expressions, and that is a big impact. However, when we ditched https://github.com/dchester/jsonpath and migrated to https://github.com/JSONPath-Plus/JSONPath we also switched from one quirky implementation to another quirky implementation. So as well as losing script expressions, there was also this other class of backwards-compatibility breaks that users had to deal with. To be honest, one of the reasons we stuck with https://github.com/dchester/jsonpath for so long was to maintain compatibility and avoid that backwards compatibility break. That turned out not to be the right decision from a security perspective, but hey-ho. Anyway, my point is: Switching to another JSONPath implementation today will be another BC break for users. It isn't a zero cost switch. That said.. One interesting thing that has happened in the world of JSONPath lately is RFC 9535 https://www.rfc-editor.org/rfc/rfc9535 which is an attempt to standardise JSONPath. In principle, if everyone implements that standard it will get rid of most of those quirks and make implementations much more interchangeable. However the reality is basically none of the widely-used libraries actually implement it yet. As part of this mitigation we did look at whether it would be possible to migrate to something that is RFC9535-compliant. However it is our assessment that the JavaScript community does not yet have a sufficiently mature RFC9535-compliant JSONPath implementation. I think if and when we do swap out JSONPath-Plus for another implementation, I would only really want to so that if we can move to a RFC9535-compliant implementation instead of another legacy quirky implementation. There's a few advantages to that:
However right now today the javascript ecosystem sadly does not yet have a mature RFC9535-compliant JSONPath implementation in my view. The project I have my eye on is https://github.com/jg-rp/json-p3 I think this is probably the most promising. It is not yet in a place where I would bet the farm on it, but it is something I'm monitoring as a possible replacement for JSONPath-Plus at some point in future. However, I have no defined timeline for this. |
Are you experiencing an issue with...
shields.io
🐞 Description
which is decoded as
the above query was previously supported for over a year but stopped working sometime recently (in the past few months)
its purpose was to query https://raw.githubusercontent.com/Botspot/pi-apps-analytics/main/package_data.json for a
Name
withMinecraft Java Prism Launcher
and return the correspondingVersion
string in the json.The above query continues to work in https://jsonpath.com/ so this is a regression in shields or the JSONPath evaluator is uses.
🔗 Link to the badge
💡 Possible Solution
No response
The text was updated successfully, but these errors were encountered: