JSON Patch

[royjacobs]

Because that would require consumers to have a Javascript interpreter to use it.

[moralestapia]

Because that would require consumers to have an interpreter for the most widely deployed language, ever, and by far.

FTFY

[yawnxyz]

security nightmare; sometimes you don't want consumers to execute code arbitrarily

[kevin_thibedeau]

This is what makes Tcl great as a data interchange format. It comes with a safe mode for untrusted code and you can further restrict it to have no control flow commands to be non-Turing.

[moralestapia]

Not true. Google, Meta, ... do it at a massive scale, no issues.

It's not really hard to protect yourself against that.

Any (competent) security guy can give you like 4 ways to implement it properly.

[hifromwork]

I am a (hopefully competent) security guy, please don't run arbitrary code if you can help it. Especially for something as trivial as JSON patching.

[rererereferred]

Do you mean the ads they serve that contain malware?

[crabmusket]

Ok hear me out, what if my API accepts WASM fragments that I run against my database but in a sandbox!

[oguz-ismail]

Nah, in that case Python would be a better option as it's already installed everywhere.

[moralestapia]

That is so derangedly untrue.

[jrockway]

Starlark is a nice embeddable scripting language, though. Java, Go, and Rust implementations: https://github.com/bazelbuild/starlark/blob/master/users.md#...

[royjacobs]

But what's your point? Would you truly want consumers of JSON Patch data to embed a JS interpreter?

[moralestapia]

My point is that the JS interpreter is likely already there.

[_blk]

only if you think of JSON in the context of a browser. JSON is used as serialized representation of objects in embedded systems, config files, etc. where a JS interpreter is unnecessary, absent or unwanted (size, security, platform preferences, ...)