yurkovoznyak opened a new issue, #13593:
URL: https://github.com/apache/apisix/issues/13593

   ### Current Behavior
   
   In the official `apache/apisix:3.17.0-ubuntu` image, `cjson.empty_array` no 
longer serializes to `[]`. It serializes to nothing, producing malformed JSON.
   
   ```lua
   require("cjson").encode({ x = require("cjson").empty_array })
   -- 3.17.0: {"x":}     <-- malformed, value missing
   -- expected: {"x":[]}
   ```
   
   Root cause: 3.17.0 adds the `oas-validator` plugin, whose rockspec 
dependency `lua-resty-openapi-validator = 1.0.5-1` declares an unpinned 
`lua-cjson` dependency. `make deps` (luarocks) therefore installs **lua-cjson 
2.1.0.10** into `/usr/local/apisix/deps/lib/lua/5.1/cjson.so`.
   
   Any plugin (built-in or custom) that relies on the `cjson.empty_array` 
sentinel to emit an empty JSON array is silently affected; the emitted body is 
invalid JSON.
   
   ### Expected Behavior
   
   `cjson.empty_array` encodes to `[]`, as it does with the OpenResty-bundled 
lua-cjson 2.1.0.11. The image should not ship a transitive lua-cjson in `deps/` 
that shadows (and regresses) the bundled one.
   
   ### Error Logs
   
   No error is raised — this is the dangerous part. The encoder silently drops 
the sentinel value, yielding malformed JSON
   
   ### Steps to Reproduce
   
   1. Pull the official image: `docker pull apache/apisix:3.17.0-ubuntu`
   2. Run the bundled OpenResty against the `deps/` cjson (what a worker loads):
   
      ```sh
      docker run --rm --entrypoint /usr/local/openresty/bin/resty \
        apache/apisix:3.17.0-ubuntu -e \
        'package.cpath="/usr/local/apisix/deps/lib/lua/5.1/?.so;"..package.cpath
         local c=require"cjson"
         print(c._VERSION, c.encode({x=c.empty_array}))'
      # => 2.1.0.10   {"x":}        (expected: {"x":[]})
      ```
   
   3. For contrast, force the bundled cjson:
   
      ```sh
      docker run --rm --entrypoint /usr/local/openresty/bin/resty \
        apache/apisix:3.17.0-ubuntu -e \
        'package.cpath="/usr/local/openresty/lualib/?.so;"..package.cpath
         local c=require"cjson"
         print(c._VERSION, c.encode({x=c.empty_array}))'
      # => 2.1.0.11   {"x":[]}
      ```
   
   4. Confirm where it came from:
   
      ```sh
      docker run --rm --entrypoint sh apache/apisix:3.17.0-ubuntu -c \
        'find / -name "cjson*.so" 2>/dev/null'
      # /usr/local/apisix/deps/lib/lua/5.1/cjson.so   (2.1.0.10, luarocks)
      # /usr/local/openresty/lualib/cjson.so          (2.1.0.11, bundled)
      ```
   
      `lua-resty-openapi-validator` is the rock that pulls lua-cjson into 
`deps/`
      (new in 3.17.0; absent in 3.16.0).
   
   Note: `setmetatable({}, cjson.array_mt)` encodes to `[]` correctly in both 
versions and is a viable workaround for plugin authors.
   
   ### Environment
   
   - APISIX version: 3.17.0 (official `apache/apisix:3.17.0-ubuntu`, digest 
`sha256:d7c01c5fc829e2f7375f8f7f2b02d29bb3d85f5069c327e61734c5bb8132a823`)
   - Operating system: image is Ubuntu; reproduced on arm64 (cause is 
arch-independent — the lua-cjson 2.1.0.10 rock is installed by luarocks 
regardless of architecture)
   - OpenResty / Nginx version: openresty/1.29.2.4
   - etcd version: n/a
   - LuaRocks: lua-cjson **2.1.0.10** installed in `deps/`, shadowing bundled 
**2.1.0.11**; pulled in transitively by `lua-resty-openapi-validator = 1.0.5-1`


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to