Fix JSON parsing security and validation

- Use Buffer.byteLength for accurate byte-size checking
- Throw SyntaxError for JSON parse failures
- Improve error messages for better clarity
- Remove prototype pollution check (JSON.parse handles safely)

Author: jdalton

src/package-url.ts

@@ -254,12 +254,14 @@ class PackageURL {
    */
   static fromJSON(json: unknown): PackageURL {
     if (typeof json !== 'string') {
-      throw new Error('JSON string argument is required')
+      throw new Error('JSON string argument is required.')
     }
 
     // Size limit: 1MB to prevent memory exhaustion.
+    // Check actual byte size, not character length.
     const MAX_JSON_SIZE = 1024 * 1024
-    if (json.length > MAX_JSON_SIZE) {
+    const byteSize = Buffer.byteLength(json, 'utf8')
+    if (byteSize > MAX_JSON_SIZE) {
       throw new Error(
         `JSON string exceeds maximum size limit of ${MAX_JSON_SIZE} bytes`,
       )
@@ -269,7 +271,10 @@ class PackageURL {
     try {
       parsed = JSON.parse(json)
     } catch (e) {
-      throw new Error('Invalid JSON string', { cause: e })
+      // For JSON parsing errors, throw a SyntaxError with the expected message
+      const syntaxError = new SyntaxError('Failed to parse PackageURL from JSON')
+      ;(syntaxError as any).cause = e
+      throw syntaxError
     }
 
     // Validate parsed result is an object.