Security and bundle size

[Eli-Black-Work]

In our project, we never want the schema parser to automatically load files while parsing. Currently, local and remote file loading can be disabled by setting file and http to false in options, but from a security perspective, I'd feel better if the code for including files weren't even present in my app. This would also reduce the bundle size :)

My proposal is to split out the default file and http resolvers and YAML and JSON parsers into separate functions that are exported separately from $RefParser and then have the user pass those functions in as options if he wants to use them.

For example:

import $RefParser, { fileResolver, httpResolver, yamlParser, jsonParser} from "@apidevtools/json-schema-ref-parser";

$RefParser.dereference("my-schema.yaml", {
  parse: {
    json: jsonParser,
    yaml: yamlParser
  },
  resolve: {
    file: fileResolver,
    http: httpResolver
  },
  continueOnError: true,
  ...
});

Also, ideally, the project would export separate functions for dereference(), parse(), etc., instead of bundling them all into one $RefParser object. This would allow for better tree shaking and therefore a smaller bundle size.

Putting these ideas all together, the final concept looks something like this:

import { jsonSchemaDereference, fileResolver, jsonParser} from "@apidevtools/json-schema-ref-parser";

jsonSchemaDereference("my-schema.yaml", {
  parse: {
    yaml: yamlParser
  },
  resolve: {
    file: fileResolver
  },
  continueOnError: true,
  ...
});

In the above example, only the contents of jsonSchemaDereference, fileResolver, and jsonParser would need to be included in the final bundle, which should significantly reduce its size.

For backwards compatibility, you could still provide a default export from your package that provided the old behavior, like so:

export default class RefParser {
  function deference(schema, options, callback) {
    const defaultOptions = {
      parse: {
        json: jsonParser,
        ...
      }
      resolve: {
        file: fileResolver,
        ...
      }
    };
    
    const optionsWithOldDefaults = deep_merge(options, defaultOptions);
    
    return jsonSchemaDereference(schema, optionsWithOldDefaults, callback);
  }
  
   // Similarly for parse(), etc.
}

[JamesMessinger]

For this and many other reasons, I'm currently in the process of splitting-up json-schema-ref-parser into a few smaller libraries that each do just one thing. It's basically the same as your proposal of separating the functions, but it'll go one step further and actually move each function to a separate library, so you don't even need to install the code and dependencies for the part you don't need.

[Eli-Black-Work]

Hi @JamesMessinger,

Are you still planning to work on this? Just checking... I know this is probably a personal project, so no pressure 🙂

[philsturgeon]

The new libraries are something I’m taking a look at so we can figure out the next moves. They’re already pretty tasty from what I can tell but there’s been a lot of work required to get through issues and bugs. I’ve trimmed down the issue tracker and will keep doing that so we can make sure this one is doing alright, and make sure we’re not repeating any mistakes, and make the right choices for the new library.

That said, meaningful refractors won’t be happening in here, so we can close this down and you’ll be aware of the replacements when they come through notices in NPM if nothing else.

[Eli-Black-Work]

Okay, thanks 🙂