The original json-schema package:
- 28.9 million weekly downloads on npm
- Abandoned by maintainers — no release since 2014
- Critical prototype pollution vulnerability (CVE-2021-3918, CVSS 9.8)
- Fix merged in 2021 but never published to npm
Your production apps are pulling vulnerable code right now.
@brickhouse-tech/json-schema-lts is a drop-in replacement with the critical security fix published and ready to deploy.
✅ CVE-2021-3918 patched
✅ API-compatible — zero code changes required
✅ Battle-tested — same codebase, just with the fix shipped
✅ LTS maintenance — security patches published promptly
npm uninstall json-schema
npm install @brickhouse-tech/json-schema-ltsThat's it. No code changes. No API differences. Just a secure package.
Vulnerability:
Attackers could inject malicious properties like __proto__ or constructor into schema objects, polluting JavaScript's prototype chain. This allows:
- Arbitrary property injection into all objects
- Authentication bypasses
- Remote code execution in some contexts
- Denial of service
Example Attack:
{
"type": "object",
"properties": {
"__proto__": { "isAdmin": true }
}
}The Fix:
Our fork includes the upstream patch that validates and sanitizes dangerous property names before schema processing. The fix:
- Blocks
__proto__,constructor, andprototypein schema keys - Prevents prototype chain pollution during validation
- Maintains full backward compatibility for legitimate schemas
Impact:
This is rated Critical (9.8) because prototype pollution can lead to complete application compromise in many JavaScript environments.
Need SLA guarantees, priority patches, or dedicated security support?
| Tier | Response Time | Support Channels | Custom Patches |
|---|---|---|---|
| Community | Best-effort | GitHub Issues | ❌ |
| Professional | 48 hours | Email + Slack | ✅ |
| Enterprise | 4 hours | Dedicated channel | ✅ Priority |
👉 View pricing and sign up
(Coming soon — contact for early access)
For compliance officers: we provide CVE notifications, SBOM exports, and security attestation on request.
Keeping critical infrastructure secure is a public good. If this package protects your stack, consider supporting continued LTS maintenance:
Your sponsorship funds:
- Security monitoring and rapid CVE response
- Automated testing and release pipelines
- Dependency updates and compatibility fixes
- Public incident response and disclosure
This is a community-maintained LTS fork of the original json-schema package by Kris Zyp.
The upstream package represents an early, efficient implementation of JSON Schema draft specifications. While the spec has evolved (see json-schema.org), this package remains a foundational dependency for millions of projects.
Our mission: Publish critical security fixes that upstream can't or won't ship.
✅ Backport and publish security patches
✅ Keep CI and tooling current
✅ Respond to new CVEs within 72 hours
✅ Maintain API stability
❌ Add new features
❌ Implement new JSON Schema drafts
❌ Break backward compatibility
This is an LTS (Long-Term Support) fork, not a feature fork. If you need bleeding-edge JSON Schema features, see the official implementations.
npm install @brickhouse-tech/json-schema-ltsThen update your imports (if not using json-schema as an alias):
// Before:
const validator = require('json-schema');
// After:
const validator = require('@brickhouse-tech/json-schema-lts');Or create an npm alias for zero code changes:
npm install json-schema@npm:@brickhouse-tech/json-schema-ltsFound a vulnerability? Please report it responsibly:
📧 Email: zbricktarz@gmail.com
🔒 PGP: Available on request
⏱️ Response SLA: 72 hours for critical issues
We follow coordinated disclosure practices and will credit researchers in security advisories.
Licensed under AFL-2.1 OR BSD-3-Clause (same as upstream).
Original code by Kris Zyp. Security maintenance by Brickhouse Tech.
- Issues & Bug Reports: GitHub Issues
- Security Concerns: zbricktarz@gmail.com
- Enterprise Support: Lemon Squeezy (coming soon)
- Sponsorship: GitHub Sponsors
Don't wait for a breach. Upgrade today.