JSONPath-Plus
diff --git a/‎CHANGES.md
Lines changed: 4 additions & 0 deletions b/‎CHANGES.md
Lines changed: 4 additions & 0 deletions
diff --git a/‎dist/index-browser-esm.js
Lines changed: 3 additions & 0 deletions b/‎dist/index-browser-esm.js
Lines changed: 3 additions & 0 deletions
diff --git a/‎dist/index-browser-esm.min.js
Lines changed: 1 addition & 1 deletion b/‎dist/index-browser-esm.min.js
Lines changed: 1 addition & 1 deletion
diff --git a/‎dist/index-browser-esm.min.js.map
Lines changed: 1 addition & 1 deletion b/‎dist/index-browser-esm.min.js.map
Lines changed: 1 addition & 1 deletion
diff --git a/‎dist/index-browser-umd.cjs
Lines changed: 3 additions & 0 deletions b/‎dist/index-browser-umd.cjs
Lines changed: 3 additions & 0 deletions
diff --git a/‎dist/index-browser-umd.min.cjs
Lines changed: 1 addition & 1 deletion b/‎dist/index-browser-umd.min.cjs
Lines changed: 1 addition & 1 deletion
diff --git a/‎dist/index-browser-umd.min.cjs.map
Lines changed: 1 addition & 1 deletion b/‎dist/index-browser-umd.min.cjs.map
Lines changed: 1 addition & 1 deletion
diff --git a/‎dist/index-node-cjs.cjs
Lines changed: 3 additions & 0 deletions b/‎dist/index-node-cjs.cjs
Lines changed: 3 additions & 0 deletions
diff --git a/‎dist/index-node-esm.js
Lines changed: 3 additions & 0 deletions b/‎dist/index-node-esm.js
Lines changed: 3 additions & 0 deletions
diff --git a/‎package.json
Lines changed: 1 addition & 1 deletion b/‎package.json
Lines changed: 1 addition & 1 deletion
diff --git a/‎src/Safe-Script.js
Lines changed: 3 additions & 0 deletions b/‎src/Safe-Script.js
Lines changed: 3 additions & 0 deletions
@@ -1,5 +1,9 @@
 # CHANGES for jsonpath-plus
 
+## 10.0.1
+
+- fix(security): prohibit `Function` in "safe" vm
+
 ## 10.0.0
 
 BREAKING CHANGES:
 
@@ -1296,6 +1296,9 @@ const SafeEval = {
     const obj = SafeEval.evalAst(ast.object, subs);
     const result = obj[prop];
     if (typeof result === 'function') {
+      if (result === Function) {
+        throw new Error('Function constructor is disabled');
+      }
       return result.bind(obj); // arrow functions aren't affected by bind.
     }
     return result;
 
@@ -1302,6 +1302,9 @@
 	    const obj = SafeEval.evalAst(ast.object, subs);
 	    const result = obj[prop];
 	    if (typeof result === 'function') {
+	      if (result === Function) {
+	        throw new Error('Function constructor is disabled');
+	      }
 	      return result.bind(obj); // arrow functions aren't affected by bind.
 	    }
 	    return result;
 
@@ -1297,6 +1297,9 @@ const SafeEval = {
     const obj = SafeEval.evalAst(ast.object, subs);
     const result = obj[prop];
     if (typeof result === 'function') {
+      if (result === Function) {
+        throw new Error('Function constructor is disabled');
+      }
       return result.bind(obj); // arrow functions aren't affected by bind.
     }
     return result;
 
@@ -1295,6 +1295,9 @@ const SafeEval = {
     const obj = SafeEval.evalAst(ast.object, subs);
     const result = obj[prop];
     if (typeof result === 'function') {
+      if (result === Function) {
+        throw new Error('Function constructor is disabled');
+      }
       return result.bind(obj); // arrow functions aren't affected by bind.
     }
     return result;
 
@@ -1,7 +1,7 @@
 {
   "author": "Stefan Goessner",
   "name": "jsonpath-plus",
-  "version": "10.0.0",
+  "version": "10.0.1",
   "type": "module",
   "bin": {
     "jsonpath": "./bin/jsonpath-cli.js",
 
@@ -111,6 +111,9 @@ const SafeEval = {
         const obj = SafeEval.evalAst(ast.object, subs);
         const result = obj[prop];
         if (typeof result === 'function') {
+            if (result === Function) {
+                throw new Error('Function constructor is disabled');
+            }
             return result.bind(obj); // arrow functions aren't affected by bind.
         }
         return result;
Original file line number	Diff line number	Diff line change
`@@ -1,7 +1,7 @@`
`1`	`1`	`{`
`2`	`2`	`"author": "Stefan Goessner",`
`3`	`3`	`"name": "jsonpath-plus",`
`4`		`- "version": "10.0.0",`
	`4`	`+ "version": "10.0.1",`
`5`	`5`	`"type": "module",`
`6`	`6`	`"bin": {`
`7`	`7`	`"jsonpath": "./bin/jsonpath-cli.js",`