JSON.parse() drop-in replacement with prototype poisoning protection
Consider this:
```
const a = '{"proto":{ "b":5}}'; '{"proto":{ "b":5}}'
const b = JSON.parse(a); { proto: { b: 5 } }
b.b; undefined
const c = Object.assign({}, b); {}
c.b 5 ```
The problem is that JSON.parse() retains the __proto__ property as a plain object key. By
itself, this is not a security issue. However, as soon as that object is assigned to another or
iterated on and values copied, the __proto__ property leaks and becomes the object's prototype.
Bourne.parse(text, [reviver], [options])Parses a given JSON-formatted text into an object where:
- text - the JSON text string.
- reviver - the JSON.parse() optional reviver argument.
- options - optional configuration object where:
- protoAction - optional string with one of:
- 'error' - throw a SyntaxError when a __proto__ key is found. This is the default value.
- 'remove' - deletes any __proto__ keys from the result object.
- 'ignore' - skips all validation (same as calling JSON.parse() directly).
Bourne.scan(obj, [options])Scans a given object for prototype properties where:
- obj - the object being scanned.
- options - optional configuration object where:
- protoAction - optional string with one of:
- 'error' - throw a SyntaxError when a __proto__ key is found. This is the default value.
- 'remove' - deletes any __proto__ keys from the input obj.