Flagsmith
diff --git a/‎CHANGELOG.md‎
Lines changed: 26 additions & 30 deletions b/‎CHANGELOG.md‎
Lines changed: 26 additions & 30 deletions
diff --git a/‎flagsmith-engine/segments/evaluators.ts‎
Lines changed: 16 additions & 5 deletions b/‎flagsmith-engine/segments/evaluators.ts‎
Lines changed: 16 additions & 5 deletions
@@ -1,80 +1,76 @@
 # Changelog
 
-## [7.0.3](https://github.com/Flagsmith/flagsmith-nodejs-client/compare/v7.0.2...v7.0.3) (2026-01-21)
+## [Unreleased]
+
+### Security
 
+-   replace jsonpath with jsonpath-plus to remediate eval()-based code injection vulnerability
+
+## [7.0.3](https://github.com/Flagsmith/flagsmith-nodejs-client/compare/v7.0.2...v7.0.3) (2026-01-21)
 
 ### Dependency Updates
 
-* bump glob and npm ([#233](https://github.com/Flagsmith/flagsmith-nodejs-client/issues/233)) ([17802df](https://github.com/Flagsmith/flagsmith-nodejs-client/commit/17802dfafc10874a17dbb3804c0a4e91722864d8))
-* bump js-yaml from 4.1.0 to 4.1.1 ([#223](https://github.com/Flagsmith/flagsmith-nodejs-client/issues/223)) ([7235792](https://github.com/Flagsmith/flagsmith-nodejs-client/commit/7235792a10bb1a8ca3ffc1144697cd7654ec5c4e))
-* bump tar and npm ([#232](https://github.com/Flagsmith/flagsmith-nodejs-client/issues/232)) ([bb34fb5](https://github.com/Flagsmith/flagsmith-nodejs-client/commit/bb34fb5e53dff9003794df9d476674bf9fbb2e10))
+-   bump glob and npm ([#233](https://github.com/Flagsmith/flagsmith-nodejs-client/issues/233)) ([17802df](https://github.com/Flagsmith/flagsmith-nodejs-client/commit/17802dfafc10874a17dbb3804c0a4e91722864d8))
+-   bump js-yaml from 4.1.0 to 4.1.1 ([#223](https://github.com/Flagsmith/flagsmith-nodejs-client/issues/223)) ([7235792](https://github.com/Flagsmith/flagsmith-nodejs-client/commit/7235792a10bb1a8ca3ffc1144697cd7654ec5c4e))
+-   bump tar and npm ([#232](https://github.com/Flagsmith/flagsmith-nodejs-client/issues/232)) ([bb34fb5](https://github.com/Flagsmith/flagsmith-nodejs-client/commit/bb34fb5e53dff9003794df9d476674bf9fbb2e10))
 
 ## [7.0.2](https://github.com/Flagsmith/flagsmith-nodejs-client/compare/v7.0.1...v7.0.2) (2025-12-02)
 
-
 ### CI
 
-* use-nvmrc-for-version ([#236](https://github.com/Flagsmith/flagsmith-nodejs-client/issues/236)) ([a56f073](https://github.com/Flagsmith/flagsmith-nodejs-client/commit/a56f0736f6c31d3c273932ede8204710de7cf853))
+-   use-nvmrc-for-version ([#236](https://github.com/Flagsmith/flagsmith-nodejs-client/issues/236)) ([a56f073](https://github.com/Flagsmith/flagsmith-nodejs-client/commit/a56f0736f6c31d3c273932ede8204710de7cf853))
 
 ## [7.0.1](https://github.com/Flagsmith/flagsmith-nodejs-client/compare/v7.0.0...v7.0.1) (2025-12-02)
 
-
 ### CI
 
-* use-latest-npm ([#234](https://github.com/Flagsmith/flagsmith-nodejs-client/issues/234)) ([6a741f3](https://github.com/Flagsmith/flagsmith-nodejs-client/commit/6a741f3b12af3bea31150561dee1e6f7c7045e56))
+-   use-latest-npm ([#234](https://github.com/Flagsmith/flagsmith-nodejs-client/issues/234)) ([6a741f3](https://github.com/Flagsmith/flagsmith-nodejs-client/commit/6a741f3b12af3bea31150561dee1e6f7c7045e56))
 
 ## [7.0.0](https://github.com/Flagsmith/flagsmith-nodejs-client/compare/v6.2.0...v7.0.0) (2025-12-02)
 
-
 ### ⚠ BREAKING CHANGES
 
-* implement context values ([#203](https://github.com/Flagsmith/flagsmith-nodejs-client/issues/203))
+-   implement context values ([#203](https://github.com/Flagsmith/flagsmith-nodejs-client/issues/203))
 
 ### Features
 
-* implement context values ([#203](https://github.com/Flagsmith/flagsmith-nodejs-client/issues/203)) ([41258f2](https://github.com/Flagsmith/flagsmith-nodejs-client/commit/41258f2e24ef7e89207a0f10116ffbd1229c0a30))
-* removed-feature-key-and-segment-key-from-schema ([#210](https://github.com/Flagsmith/flagsmith-nodejs-client/issues/210)) ([014f38b](https://github.com/Flagsmith/flagsmith-nodejs-client/commit/014f38bf33af77fb706e4e130e8a571914632408))
-
+-   implement context values ([#203](https://github.com/Flagsmith/flagsmith-nodejs-client/issues/203)) ([41258f2](https://github.com/Flagsmith/flagsmith-nodejs-client/commit/41258f2e24ef7e89207a0f10116ffbd1229c0a30))
+-   removed-feature-key-and-segment-key-from-schema ([#210](https://github.com/Flagsmith/flagsmith-nodejs-client/issues/210)) ([014f38b](https://github.com/Flagsmith/flagsmith-nodejs-client/commit/014f38bf33af77fb706e4e130e8a571914632408))
 
 ### Bug Fixes
 
-* exclude-identities-when-traits-is-undefined ([#230](https://github.com/Flagsmith/flagsmith-nodejs-client/issues/230)) ([f7488e1](https://github.com/Flagsmith/flagsmith-nodejs-client/commit/f7488e17fe524111dd18c06a30be1c44ae15ec5d))
-* fix-mv-evaluation ([#222](https://github.com/Flagsmith/flagsmith-nodejs-client/issues/222)) ([ae1fb7e](https://github.com/Flagsmith/flagsmith-nodejs-client/commit/ae1fb7eb0551defd0823c94d37b860be7eb88a5d))
-* properly-map-environment-name ([#226](https://github.com/Flagsmith/flagsmith-nodejs-client/issues/226)) ([3c1d200](https://github.com/Flagsmith/flagsmith-nodejs-client/commit/3c1d200e656ec9926fdc6d4627bb259963d06a2e))
-* removed-dango-id-usage-in-mapper ([#229](https://github.com/Flagsmith/flagsmith-nodejs-client/issues/229)) ([29c7613](https://github.com/Flagsmith/flagsmith-nodejs-client/commit/29c761370a7e8d6d733a45293c60297843e7e1e7))
-* use-default-on-jsonpath-import ([#231](https://github.com/Flagsmith/flagsmith-nodejs-client/issues/231)) ([7a8d949](https://github.com/Flagsmith/flagsmith-nodejs-client/commit/7a8d9498fbc0297c881b3f32fc8d0d024fe8366f))
-
+-   exclude-identities-when-traits-is-undefined ([#230](https://github.com/Flagsmith/flagsmith-nodejs-client/issues/230)) ([f7488e1](https://github.com/Flagsmith/flagsmith-nodejs-client/commit/f7488e17fe524111dd18c06a30be1c44ae15ec5d))
+-   fix-mv-evaluation ([#222](https://github.com/Flagsmith/flagsmith-nodejs-client/issues/222)) ([ae1fb7e](https://github.com/Flagsmith/flagsmith-nodejs-client/commit/ae1fb7eb0551defd0823c94d37b860be7eb88a5d))
+-   properly-map-environment-name ([#226](https://github.com/Flagsmith/flagsmith-nodejs-client/issues/226)) ([3c1d200](https://github.com/Flagsmith/flagsmith-nodejs-client/commit/3c1d200e656ec9926fdc6d4627bb259963d06a2e))
+-   removed-dango-id-usage-in-mapper ([#229](https://github.com/Flagsmith/flagsmith-nodejs-client/issues/229)) ([29c7613](https://github.com/Flagsmith/flagsmith-nodejs-client/commit/29c761370a7e8d6d733a45293c60297843e7e1e7))
+-   use-default-on-jsonpath-import ([#231](https://github.com/Flagsmith/flagsmith-nodejs-client/issues/231)) ([7a8d949](https://github.com/Flagsmith/flagsmith-nodejs-client/commit/7a8d9498fbc0297c881b3f32fc8d0d024fe8366f))
 
 ### CI
 
-* use NPM trusted publishing ([#217](https://github.com/Flagsmith/flagsmith-nodejs-client/issues/217)) ([7d01563](https://github.com/Flagsmith/flagsmith-nodejs-client/commit/7d015635f4bc41246519799dddaea7ff8da2c50a))
+-   use NPM trusted publishing ([#217](https://github.com/Flagsmith/flagsmith-nodejs-client/issues/217)) ([7d01563](https://github.com/Flagsmith/flagsmith-nodejs-client/commit/7d015635f4bc41246519799dddaea7ff8da2c50a))
 
 ## [6.2.0](https://github.com/Flagsmith/flagsmith-nodejs-client/compare/v6.1.0...v6.2.0) (2025-11-04)
 
-
 ### Features
 
-* add user agent to requests ([#206](https://github.com/Flagsmith/flagsmith-nodejs-client/issues/206)) ([ef2b97a](https://github.com/Flagsmith/flagsmith-nodejs-client/commit/ef2b97a3022a5feeb96c3ccdb8009ae89b582d0b))
+-   add user agent to requests ([#206](https://github.com/Flagsmith/flagsmith-nodejs-client/issues/206)) ([ef2b97a](https://github.com/Flagsmith/flagsmith-nodejs-client/commit/ef2b97a3022a5feeb96c3ccdb8009ae89b582d0b))
 
 ### Bug Fixes
 
-* handle environment documentation pagination ([#205](https://github.com/Flagsmith/flagsmith-nodejs-client/issues/205)) ([a83d3a5](https://github.com/Flagsmith/flagsmith-nodejs-client/commit/a83d3a5789abbc47abc2a95d07a19756ab7befbb))
-
+-   handle environment documentation pagination ([#205](https://github.com/Flagsmith/flagsmith-nodejs-client/issues/205)) ([a83d3a5](https://github.com/Flagsmith/flagsmith-nodejs-client/commit/a83d3a5789abbc47abc2a95d07a19756ab7befbb))
 
 ### CI
 
-* add release please configuration ([#190](https://github.com/Flagsmith/flagsmith-nodejs-client/issues/190)) ([946f911](https://github.com/Flagsmith/flagsmith-nodejs-client/commit/946f911e3c9d7df21bd7e5c6df5f9f92927e5e59))
-
+-   add release please configuration ([#190](https://github.com/Flagsmith/flagsmith-nodejs-client/issues/190)) ([946f911](https://github.com/Flagsmith/flagsmith-nodejs-client/commit/946f911e3c9d7df21bd7e5c6df5f9f92927e5e59))
 
 ### Docs
 
-* removing hero image from SDK readme ([#194](https://github.com/Flagsmith/flagsmith-nodejs-client/issues/194)) ([bc71d40](https://github.com/Flagsmith/flagsmith-nodejs-client/commit/bc71d40bdfa319b5333c18f4f9eacbe90b6fad0d))
-
+-   removing hero image from SDK readme ([#194](https://github.com/Flagsmith/flagsmith-nodejs-client/issues/194)) ([bc71d40](https://github.com/Flagsmith/flagsmith-nodejs-client/commit/bc71d40bdfa319b5333c18f4f9eacbe90b6fad0d))
 
 ### Other
 
-* add root CODEOWNERS ([#200](https://github.com/Flagsmith/flagsmith-nodejs-client/issues/200)) ([e81cc00](https://github.com/Flagsmith/flagsmith-nodejs-client/commit/e81cc00f1de35e0884b2cfc70c6cf54a75a3426c))
-* versioned test data ([#197](https://github.com/Flagsmith/flagsmith-nodejs-client/issues/197)) ([9fb5c12](https://github.com/Flagsmith/flagsmith-nodejs-client/commit/9fb5c127a2b56503ba876da2466c24e5ceff1d3f))
+-   add root CODEOWNERS ([#200](https://github.com/Flagsmith/flagsmith-nodejs-client/issues/200)) ([e81cc00](https://github.com/Flagsmith/flagsmith-nodejs-client/commit/e81cc00f1de35e0884b2cfc70c6cf54a75a3426c))
+-   versioned test data ([#197](https://github.com/Flagsmith/flagsmith-nodejs-client/issues/197)) ([9fb5c12](https://github.com/Flagsmith/flagsmith-nodejs-client/commit/9fb5c127a2b56503ba876da2466c24e5ceff1d3f))
 
 <a id="v6.1.0"></a>
 
 
@@ -1,4 +1,4 @@
-import * as jsonpathModule from 'jsonpath';
+import { JSONPath } from 'jsonpath-plus';
 import {
     GenericEvaluationContext,
     InSegmentCondition,
@@ -10,9 +10,6 @@ import { getHashedPercentageForObjIds } from '../utils/hashing/index.js';
 import { SegmentConditionModel } from './models.js';
 import { IS_NOT_SET, IS_SET, PERCENTAGE_SPLIT } from './constants.js';
 
-// Handle ESM/CJS interop - jsonpath exports default in ESM
-const jsonpath = (jsonpathModule as any).default || jsonpathModule;
-
 /**
  * Returns all segments that the identity belongs to based on segment rules evaluation.
  *
@@ -140,8 +137,22 @@ function evaluateRuleConditions(ruleType: string, conditionResults: boolean[]):
     }
 }
 
+const TRAITS_DOT_PATTERN = /^\$\.identity\.traits\.([^.]+)$/;
+const TRAITS_BRACKET_PATTERN = /^\$\.identity\.traits\['(.+)'\]$/;
+
+function extractTraitNameFromPath(property: string): string | undefined {
+    return TRAITS_DOT_PATTERN.exec(property)?.[1] ?? TRAITS_BRACKET_PATTERN.exec(property)?.[1];
+}
+
 function getTraitValue(property: string, context?: GenericEvaluationContext): any {
     if (property.startsWith('$.')) {
+        // Look up $.identity.traits.X and $.identity.traits['X'] paths directly
+        // to avoid jsonpath-plus mis-parsing special characters (e.g. $, [, ]) in
+        // trait names that appear inside bracket-notation strings.
+        const traitName = extractTraitNameFromPath(property);
+        if (traitName !== undefined) {
+            return context?.identity?.traits?.[traitName];
+        }
         const contextValue = getContextValue(property, context);
         if (contextValue !== undefined && isPrimitive(contextValue)) {
             return contextValue;
@@ -180,7 +191,7 @@ export function getContextValue(jsonPath: string, context?: GenericEvaluationCon
 
     try {
         const normalizedPath = normalizeJsonPath(jsonPath);
-        const results = jsonpath.query(context, normalizedPath);
+        const results = JSONPath({ path: normalizedPath, json: context });
         return results.length > 0 ? results[0] : undefined;
     } catch (error) {
         return undefined;