Patch release of elm/json 1.1.4

novid · September 19, 2025, 8:17pm

A new Patch release of elm/json package is available with updated kernel code for stricter validation. This release has no API changes and you can safely update your projects and libraries.

rupert · September 20, 2025, 7:46am

I read the code delta but I didn’t really understand it. What effect does this change have?

lydell · September 20, 2025, 9:13am

It makes you immune to Elm packages that try to run arbitrary JavaScript code using elm/json. (No such packages are known to exist.)

gist.github.com

https://gist.github.com/lydell/e1e6c9a7cb88590d48cc4826725dd584

JsonEvalDemoMinimal.elm

module JsonEvalDemoMinimal exposing (main)

import Browser
import Html exposing (Html)
import Html.Attributes
import Html.Events
import Json.Decode
import Json.Encode

This file has been truncated. show original

Kudos to @miniBill for finding these vulnerabilities. I just helped making that summary gist.

rupert · September 20, 2025, 10:57am

Hackers are devious but Elmers more so… great find @minibill.

system · September 30, 2025, 10:58am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
JSON Decode package for decoding objects Show and Tell	7	1127	November 20, 2018
A configurable JSON parser in Elm Show and Tell	1	828	December 16, 2018
Invalid elm.json when installing ktonon/elm-test-extra Learn	4	871	June 21, 2019
Alternative npm package for elm-json without vulnerabilities Show and Tell	1	763	August 5, 2023
Elm-json: A tool for managing elm.json files Show and Tell	8	3577	May 15, 2019

Patch release of elm/json 1.1.4

Related topics