chore(deps): update dependency json to v11

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
json	^9.0.6 → ^11.0.0

---

Release Notes

trentm/json (json)

v11.0.0

Compare Source

• Backward incompatible and security-related change to parsing the
  -d DELIM option. (#​148)

  The -d DELIM option allows specifying the field delimiter in output:

    % echo '{"name":"trent","age":38}' | json -a name age
    trent 38
    % echo '{"name":"trent","age":38}' | json -a name age -d,
    trent,38
  

  The given "DELIM" string is parsed to allow escapes. For example:

    % echo '{"name":"trent","age":38}' | json -a name age -d'\t'
    trent	38
    % echo '{"name":"trent","age":38}' | json -a name age -d'\n'
    trent
    38
  

  Before this change, that parsing used eval(), which allowed for unintended
  code execution if an untrusted argument to -d was provided. The fix for
  this vulnerability changes to use JSON.parse() to support escapes. However
  that results in a backward incompatible change, because the set of
  JSON escapes is a subset of
  JavaScript escapes.

  The only escape I expect that would affect any current user would be the
  null byte escape (\0) which can be useful for processing values that may
  have spaces or other likely delimiter characters. For example:

BEFORE

    % echo '{"title":"Monsters, Inc.","year":"2001"}' \
      | json -a title year -d'\0' \
      | xargs -0 node -e 'console.log(process.argv)'
    [ 'node', 'Monsters, Inc.', '2001\n' ]

AFTER

    % echo '{"title":"Monsters, Inc.","year":"2001"}' | json -a title year -d'\0'
    json: error: Unexpected number in JSON at position 2

One must now use the JSON unicode escape syntax, '\u0000':

    % echo '{"title":"Monsters, Inc.","year":"2001"}' \
      | json -a title year -d'\u0000' \
      | xargs -0 node -e 'console.log(process.argv)'
    [ 'node', 'Monsters, Inc.', '2001\n' ]

v10.0.0

Compare Source

• Backward incompatible and security-related change to parsing "lookup" strings.

  This version restricts the supported syntax for bracketed "lookup"
  strings to fix a possible
  vulnerability (CVE-2020-7712). With a carefully crafted lookup string,
  command injection was possible. See
  #​144 for a repro. If you use
  json (the CLI or as a node.js module) and run arbitrary user-provided
  strings as a "lookup", then you should upgrade.

  For the json CLI, a "lookup" string is the 'foo' in:

    echo ...some json... | json foo
  

  which allows you to lookup fields on the given JSON, e.g.:

    $ echo '{"foo": {"bar": "baz"}}' | json foo.bar
    baz
  

  If one of the lookup fields isn't a valid JS identifier, then the JS array
  notation is supported:

    $ echo '{"https://example.com": "my-value"}' | json '["https://example.com"]'
    my-value
  

  Before this change, json would effectively exec the string between the
  brackets as JS code such that things like the following were possible:

    $ echo '{"foo3": "bar"}' | json '["foo" + 3]'
    bar
  

  This change limits supported bracket syntax in lookups to a simple quoted
  string:

    ["..."]
    ['...']
    [`...`]      # no variable interpolation
  

  Otherwise generating an error of the form:

    json: error: invalid bracketed lookup string: "[\"foo\" + 3]" (must be of the form ['...'], ["..."], or [`...`])
  

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Never, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.