JSON, YAML & Base64 Standards
Official specifications, RFCs, security research, and ecosystem milestones — everything that shaped how JSON works today.
Tree-sitter's JSON Grammar: How Editors Read JSON Differently from JSON.parse
The grammar that powers JSON syntax highlighting in Neovim, Helix, Emacs, and GitHub's blob viewer accepts a slightly broader set than JSON.parse — useful context for 'why does my IDE think this file is fine when my code crashes on it?'
Read article →
yaml Parser Stack-Overflow Advisory Shows Depth-Limit Risk
GitHub and NVD track CVE-2026-33532 in the npm package yaml, where deeply nested YAML collections can exhaust the Node.js call stack during composition before the parser returns a normal YAML error.
Read article →Fedify JSON-LD Signature Bypass Shows Canonicalization Risk
GitHub and Fedify disclosed CVE-2026-42462, where JSON-LD documents could be reshaped with @graph, @reverse, or @included while preserving a Linked Data Signature and changing how signed activities were interpreted.
Read article →jq NUL-byte CVE Shows JSON Validation Bypass Risk
GitHub and NVD track CVE-2026-33948 in jq, where embedded NUL bytes can make the CLI validate only a benign prefix while downstream systems may still handle the original payload.
Read article →jq Path-Depth CVE Shows Runtime Risks in JSON Pipelines
GitHub and NVD track CVE-2026-33947 in jq, where path operations can bypass parser depth limits and crash a trusted jq process that handles attacker-controlled JSON.
Read article →Online JSON Formatter Leak Shows Why Local-First Tools Matter
watchTowr Labs found saved submissions from popular online formatter sites exposing credentials, private keys, API tokens, PII, and internal configuration, underscoring why pasted developer payloads should be processed locally in the browser.
Read article →JSON Import Attributes Give Browser Tools a Native Module Path
Modern browsers now support JSON module imports with `with { type: "json" }`, giving local-first developer tools a standards-aligned way to load JSON fixtures while enforcing strict MIME type checks.
Read article →
IETF JSON Schema Draft Moves Toward Proposed Standard Status
The IETF JSONSCHEMA working group now has an active JSON Schema Internet-Draft targeting Proposed Standard status, giving validator and API tooling authors a formal standards-track document to watch.
Read article →RFC 9535 Standardizes JSONPath Queries for JSON Values
The IETF published RFC 9535 on the Standards Track, giving JSONPath query expressions a common syntax for selecting and extracting values from JSON payloads.
Read article →JSON.parseImmutable Reaches Stage 2 for Immutable JSON Values
TC39 published a March 2026 Stage 2 draft for JSON.parseImmutable, proposing a direct way to parse JSON into Records and Tuples instead of converting nested objects and arrays after JSON.parse().
Read article →
Uint8Array Base64 APIs Give Browser Tools a Native Byte Path
TC39 finished the Uint8Array Base64 and hex proposal, while MDN marks the Base64 methods as Baseline 2025, giving browser-based tools a native way to encode and decode bytes without atob/btoa string workarounds.
Read article →JSON.parse Source Access and JSON.rawJSON Reach the Modern Web
The newer JSON APIs behind `context.source` and `JSON.rawJSON()` are now documented as broadly available on current browsers, giving browser-based tools a standards-based path for safer lossless parsing and serialization workflows.
Read article →JSON Schema Releases Draft 2024
The JSON Schema working group published a new draft addressing ambiguities in the $ref and $defs keywords, improving interoperability across validators.
Read article →
YAML Specification Moves to GitHub for Community Maintenance
The YAML language specification repository became publicly active on GitHub, enabling community issue tracking and errata submissions for YAML 1.2.2.
Read article →JSON Canonical Form (JCS) Implementation Survey
RFC 8785 (JSON Canonicalization Scheme), published in 2020, saw growing adoption in digital signature systems, with implementations across 15+ languages published to registries.
Read article →JSON Interoperability Vulnerabilities — Bishop Fox Research
Researchers at Bishop Fox documented how inconsistencies between JSON parser implementations can be exploited to bypass security controls in systems that parse the same payload with multiple parsers.
Read article →IETF JSON Bis Working Group Chartered
The IETF formally chartered the JSONBIS working group to address known gaps in RFC 8259, including number precision and duplicate key behaviour, aiming to produce an updated JSON specification.
Read article →JSON Schema Joins OpenJS Foundation
The JSON Schema project announced it would move under the OpenJS Foundation umbrella, providing governance, infrastructure, and sustainability for the specification and its ecosystem.
Read article →YAML 1.2.2 Published
The YAML specification team published revision 1.2.2, incorporating years of accumulated errata and clarifications to the 2009 YAML 1.2 document without changing the core language.
Read article →JSON Schema 2020-12 Released
The JSON Schema draft 2020-12 introduced a restructured vocabulary system separating applicators, validators, and annotations into distinct vocabularies, along with the new $dynamicRef keyword.
Read article →RFC 8785: JSON Canonicalization Scheme (JCS)
The IETF published RFC 8785 defining a deterministic serialisation for JSON. JCS sorts object keys lexicographically and normalises number formatting, enabling consistent cryptographic hashes and digital signatures.
Read article →JSON Schema Draft 2019-09
The JSON Schema 2019-09 draft overhauled the keyword model with a formal vocabulary system, and added the unevaluatedProperties and unevaluatedItems keywords for precise additional-property control.
Read article →RFC 8259 — Current JSON Standard Published
The IETF published RFC 8259, the current authoritative JSON specification, explicitly requiring UTF-8 encoding for JSON exchanged outside closed systems and obsoleting RFC 7159.
Read article →ECMA-404 Second Edition Published
Ecma International published the second edition of ECMA-404, synchronised with RFC 8259 to eliminate wording divergence between the two authoritative JSON specifications.
Read article →"Parsing JSON is a Minefield 💣" — Nicolas Seriot
Security researcher Nicolas Seriot published a comprehensive study testing 30+ JSON parsers against edge-case inputs, revealing widespread disagreement with real security implications.
Read article →RFC 7519 — JSON Web Token (JWT) Published
The IETF published RFC 7519 standardising JSON Web Tokens, which use Base64url encoding for the header and payload and HMAC-SHA256 or RSA signatures for integrity.
Read article →RFC 7515 & 7516 — JSON Web Signature and Encryption
Published alongside JWT, RFC 7515 (JWS) and RFC 7516 (JWE) standardised the use of Base64url for encoding JSON-based security tokens and introduced compact serialisation for encrypted payloads.
Read article →RFC 7396 — JSON Merge Patch
The IETF published RFC 7396, defining JSON Merge Patch as a simpler alternative to JSON Patch (RFC 6902) by overlaying a partial object on the target document.
Read article →RFC 7159 — Updated JSON Specification
RFC 7159 updated the JSON standard, obsoleting RFC 4627. It relaxed the top-level value restriction so arrays and primitives became valid top-level JSON, not just objects.
Read article →ECMA-404 First Edition — JSON as Ecma Standard
Ecma International published ECMA-404, giving JSON formal recognition as an international standard. The document defines JSON's grammar precisely and deliberately avoids prescribing semantics.
Read article →RFC 6901 & 6902 — JSON Pointer and JSON Patch
The IETF published RFC 6901 (JSON Pointer) defining a path syntax for referencing values inside a JSON document, and RFC 6902 (JSON Patch) defining an operation-based format for document changes.
Read article →YAML 1.2 Released — Full JSON Compatibility
YAML 1.2 was published making YAML a strict superset of JSON for the first time, by adopting JSON's scalar types directly so every valid JSON document is now valid YAML.
Read article →RFC 4648 — The Base64 Standard
The IETF published RFC 4648, consolidating earlier Base64 specifications into a single authoritative document defining standard Base64, Base64url, Base32, and Base16.
Read article →RFC 4627 — First Official JSON RFC
Douglas Crockford submitted RFC 4627, the first IETF document formally specifying JSON. It defined the application/json media type and the basic grammar, with a restriction on top-level values later lifted.
Read article →