Skip to content

PEP 819: Disambiguate JSON parsing and make new files required #4773

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
emmatyping wants to merge 3 commits into
base: main
Choose a base branch
from
+39 −21
Open

PEP 819: Disambiguate JSON parsing and make new files required #4773

Changes from 1 commit
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
9de2962
PEP 819: Add information about duplicate keys and integer parsing
emmatyping Jan 7, 2026
f0f830b
Also make the JSON files required
emmatyping Jan 7, 2026
07fa915
Discuss int values in security section
emmatyping Jan 7, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Discuss int values in security section
  • Loading branch information
@emmatyping @emmatyping-nv
emmatyping authored and emmatyping-nv committed Jan 7, 2026
commit 07fa915af32a24db48ca60b2e560feb29c1bfb23
41 changes: 14 additions & 27 deletions peps/pep-0819.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -235,26 +235,6 @@ JSON schema for wheel metadata has been produced.
This schema will be updated with each revision to the wheel metadata
specification. The schema is available in :ref:`0819-wheel-json-schema`.

Handling of Integer and Float Values in JSON Package Metadata
-------------------------------------------------------------

While no core metadata or wheel metadata values are currently encoded as
integers or floats, when decoding a JSON file, integer and float values should
be decoded as strings for both core metadata and wheel metadata. This is to
avoid compatibility issues due to differences in precision and representation
of integers and floats between languages and parsers. This also mitigates a
security risk with integer parsing denial of service attacks based on
`CVE-2020-10735 <https://github.com/advisories/GHSA-6jr7-xr67-mgxw>`__.

If a future field of core metadata or wheel metadata needs to be encoded as an
integer or float, the field MUST be decoded lazily after loading the JSON
document. This minimizes the risks of denial of service attacks by minimizing
the integer parsing allowed during the deserialization process.

If using the Python :mod:`!json` module, parsing integers and floats as strings
can be accomplished by setting the ``parse_int`` and ``parse_float``
keyword arguments to :func:`json.load` or :func:`json.loads` to :class:`str`.

Handling of Duplicate Keys in JSON Package Metadata
---------------------------------------------------

Expand Down Expand Up @@ -306,13 +286,20 @@ or ``WHEEL`` files.
Security Implications
=====================

JSON encoded core metadata and wheel metadata have the potential for a denial
of service attack due to the quadratic parsing time complexity of parsing of
integers. This PEP mitigates this risk by requiring that integers and floats be
parsed as strings, and only lazily parsed into integers or floats after the
initial deserialization of the JSON document. With these mitigations in place,
concerns about denial of service attacks with JSON encoded package metadata are
considered minimal.
Maliciously crafted JSON encoded metadata files have the potential to cause a
denial of service attack due to the quadratic parsing time complexity of
reading integer strings as reported in
`CVE-2020-10735 <https://github.com/advisories/GHSA-6jr7-xr67-mgxw>`__. No
package metadata fields are currently encoded as integers, so this risk can be
mitigated by decoding integer values as strings when parsing JSON package
metadata.

If using the Python :mod:`!json` module, parsing integers as strings
can be accomplished by setting the ``parse_int`` keyword argument to
:func:`json.load` or :func:`json.loads` to :class:`str`.

With this mitigation in place, concerns about denial of service attacks with
JSON encoded package metadata are considered minimal.


Reference Implementation
Expand Down
Loading