<div dir="auto">Note that XML validation with X3DJSAIL currently *requires* a .dtd and/or .xsd listed in the header, or you will get hundreds of messages telling you to email Don Brutzman, who will tell you to put the header on the file.</div><div dir="auto"><br></div><div dir="auto">So put the header on the file, and be happy that all those messages go away. But don’t DOS the digital signature XML schema site with batch requests such that they block you!</div><div dir="auto"><br></div><div dir="auto">I doubt if such issues will arise with JSON schema.</div><div dir="auto"><br></div><div dir="auto">YMMV,</div><div dir="auto"><br></div><div dir="auto">John</div><div><br><div class="gmail_quote gmail_quote_container"><div dir="ltr" class="gmail_attr">On Mon, Sep 8, 2025 at 10:12 PM John Carlson <<a href="mailto:yottzumm@gmail.com">yottzumm@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="auto">I’m not seeing that x3dvalidate got new versions recently, so likely there’s no issue with it. To be on the safe side, go with version 9.0.1 perhaps:</div><div dir="auto"><br></div><div dir="auto"><div><a href="https://www.npmjs.com/package/x3dvalidate" target="_blank">https://www.npmjs.com/package/x3dvalidate</a></div><div dir="auto"><br></div><div dir="auto">$ npx x3dvalidate@9.0.1 file1.x3dj file2.x3dj …</div><div dir="auto"><br></div><div dir="auto">Unless you need the latest features!</div><div dir="auto"><br></div><div dir="auto">Probably there will be an alternative way to check X3D JSON when the standard gets released, depending on whether a JSON schema standard is released (in other words, never). For those requiring alternative schema validation now, I suggest looking into X3DJSONLD.* and validating the result DOM against the XML schema. Various X3DJSONLD JSON to DOM Converters exist for JavaScript, Java, C, and Pascal. If sufficient pressure is placed on me, I will create a schema validator in python which doesn’t use <a href="http://x3d.py/X3DPSAIL" target="_blank">x3d.py/X3DPSAIL</a>, yet validates JSON against XML Schema. Please indicate your interest. I’m guessing XML schema validation will outperform JSON schema validation in Python. Python validation against JSON schema has been done, but it’s not performant as JavaScript, so I typically test with the latter. Since JSON schema has been deprecated until further notice, it might be wise to use X3DJSONLD to convert to XML or DOM for validation.</div><div dir="auto"><br></div><div dir="auto">Java already has something to validate X3D JSON against XML schema, that’s where I would look first, if not X3DJSAIL’s DOM Loader being used with X3DJSONLD.java. I haven’t built something to validate JavaScript DOM against XML schema yet, but I can serialize to XML, and validate against XML schema, most likely. Mostly, I use DOM to XML serialization to compare roundtrip conversions from XML to JSON to DOM.</div><div dir="auto"><br></div><div dir="auto">Note that there are missing features in X3dToJson.xslt which might be addressed later this year, I am going with Holger’s x3d-tidy in the short term as I am exercising Material nodes which aren’t mapped well yet in X3dToJson.xlst. For those on the leading edge, see how the SFNodes in</div><div dir="auto"><br></div><div dir="auto"><div><a href="https://www.web3d.org/specifications/X3Dv4/ISO-IEC19775-1v4-IS/Part01/components/shape.html#Material" target="_blank">https://www.web3d.org/specifications/X3Dv4/ISO-IEC19775-1v4-IS/Part01/components/shape.html#Material</a></div><br></div><div dir="auto">are mapped to JSON with X3dToJson.xslt. AFAIK, the SFNodes should be mapped to JSON objects, not JSON arrays, those are for MFNodes. Obviously, if one is validating the DOM against XML schema is done, perhaps important stuff like array versus object is swept under the covers? IDK.</div><div dir="auto"><br></div><div dir="auto">Note that X3DJSONLD is not affiliated with JSON-LD. The former is a JSON loader (hence the LD) and has nothing to do with linked data.</div></div><div dir="auto"><div dir="auto"><br></div><div dir="auto">John <br></div><br></div><div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, Sep 8, 2025 at 8:00 PM John Carlson <<a href="mailto:yottzumm@gmail.com" target="_blank">yottzumm@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;padding-left:1ex;border-left-color:rgb(204,204,204)"><div dir="auto"><a href="https://youtu.be/taEIb3xXzjk?si=L6RsGCfQ53J4FE2a" target="_blank">https://youtu.be/taEIb3xXzjk</a></div><div dir="auto"><br></div><div dir="auto">I have not yet determined whether my packages are affected. I have one published npm (node package manager) module published, “x3dvalidate.”</div><div dir="auto"><br></div><div dir="auto">Here are my x3dvalidate dependencies, which you can certainly check to see if they are affected:</div><div dir="auto"><br></div><div dir="auto"><div> "dependencies": {<br> "ajv": "*",<br> "ajv-formats": "*",<br> "ajv-formats-draft2019": "*",<br> "ajv-i18n": "*"<br> },</div><div dir="auto"><br></div><div dir="auto">I’m guessing there will be many possible versions of packages being withdrawn.</div><div dir="auto"><br></div><div dir="auto">Apparently some npm module maintainer fell for some clever phishing email that used a icon similar to the npm icon, claiming that 2FA needed to be updated.</div><div dir="auto"><br></div><div dir="auto">AFAIK, this is legit, but it’s just some guy, “Matt Johansen” reporting on YouTube.</div><div dir="auto"><br></div><div dir="auto">There’s also reports on Reddit, which say only one user is affected, but if any of your dependencies depend on his/her dependencies, you might be affected:</div><div dir="auto"><br></div><div dir="auto"><div><a href="https://www.reddit.com/r/programming/comments/1nbqt4d/largest_npm_compromise_in_history_supply_chain/" target="_blank">https://www.reddit.com/r/programming/comments/1nbqt4d/largest_npm_compromise_in_history_supply_chain/</a></div><br></div><div dir="auto">The directly affected packages are listed there.</div><div dir="auto"><br></div><div dir="auto">It mostly appears like this is an attack on cryptocurrency, primarily. I don’t invest in cryptocurrencies.</div><div dir="auto"><br></div><div dir="auto">I will be reviewing emails, and potentially changing dependencies on my various node packages, which I’ve been meaning to do for a while, while these are on GitHub, I’ve only published the one module to npm.</div><div dir="auto"><br></div><div dir="auto">I don’t know if anyone else in X3D is affected, just be aware of package dependencies for any npx programs you execute. This includes stuff like React, Vite, and anyone else using npm and npx.</div><div dir="auto"><br></div><div dir="auto">Primarily, I will be investigating my X3DJSONLD dependencies as found in my package-lock.json, listed here:</div><div dir="auto"><br></div><div dir="auto"><div><a href="https://github.com/coderextreme/X3DJSONLD/blob/master/package-lock.json" target="_blank">https://github.com/coderextreme/X3DJSONLD/blob/master/package-lock.json</a></div><br></div><div dir="auto"><br></div><div dir="auto">This didn’t really hit the most popular tech news sites, but reporting has been done in the Cryptocurrency sites (which I’m just seeing headlines in google).</div></div><div dir="auto"><div dir="auto"><br></div><div dir="auto">John</div><div dir="auto"><br></div><br></div>
</blockquote></div></div>
</blockquote></div></div>