🎩 You're Invited:Meet the Socket team at Black Hat in Las Vegas, August 3-6.RSVP
Sign In

@nodable/entities

Package Overview
Dependencies
Maintainers
1
Versions
8
Alerts
File Explorer

Advanced tools

Socket logo

Install Socket

Detect and block malicious and high-risk dependencies

Install

@nodable/entities

Entity parser for XML, HTML, External entites with security and NCR control

latest
Source
npmnpm
Version
3.0.0
Version published
Weekly downloads
31M
-2.4%
Maintainers
1
Weekly downloads
 
Created
Source

@nodable/entities

Fast, zero-dependency XML/HTML entity encoder and decoder for Node.js.

Install

npm install @nodable/entities

Quick start

import { EntityEncoder, EntityDecoder, ALL_ENTITIES } from '@nodable/entities';

// Encode: plain text → entity references
// v3 requires an explicit entity set when encoding named (non‑ASCII) characters
const enc = new EntityEncoder({ namedEntities: ALL_ENTITIES });
enc.encode('Hello © 2024 & <stuff>');
// → 'Hello &copy; 2024 &amp; &lt;stuff&gt;'

// Decode: entity references → plain text
const dec = new EntityDecoder({ namedEntities: ALL_ENTITIES });
dec.decode('Hello &copy; 2024 &amp; &lt;stuff&gt;');
// → 'Hello © 2024 & <stuff>'

If you only need to encode XML‑unsafe characters (&, <, >, ", '), you can disable named‑entity encoding entirely and avoid importing any entity set:

const enc = new EntityEncoder({ encodeAllNamed: false });
enc.encode('© <stuff>'); // → '© &lt;stuff&gt;'  (copyright stays literal)

To encode only a specific subset of characters (e.g. common HTML entities), pass a custom map:

import { EntityEncoder, COMMON_HTML, CURRENCY } from '@nodable/entities';

const enc = new EntityEncoder({ namedEntities: { ...COMMON_HTML, ...CURRENCY } });
enc.encode('Price: 10 © 2024'); // only COMMON_HTML/CURRENCY entities are recognized

Migration from v2 to v3

Breaking change:
In v2, new EntityEncoder() automatically used the full built‑in entity set to encode non‑ASCII characters (like ©&copy;). This caused poor tree‑shaking: every consumer paid the cost of the entire entity table, even if they never used it.

In v3, EntityEncoder no longer includes a default entity set.
If you pass no options and encodeAllNamed is true (the default), the constructor will throw an error:

const enc = new EntityEncoder(); // throws: "encodeAllNamed is true but no `namedEntities` was provided"

How to update

What you needv2 codev3 code
Full built‑in set (same as v2)new EntityEncoder()import { ALL_ENTITIES } from '@nodable/entities';
new EntityEncoder({ namedEntities: ALL_ENTITIES })
Only XML‑unsafe chars (no named entities)new EntityEncoder({ encodeAllNamed: false })Same – no change
Custom subsetnew EntityEncoder({ namedEntities: myMap })Same – but now your map is required for named‑entity encoding

This change allows bundlers to tree‑shake unused entity categories – you only pay for the characters you actually encode.

Upgrading step‑by‑step

  • Update to @nodable/entities@3.0.0.
  • Find all new EntityEncoder() calls in your project.
  • Decide:
    • If you need the full set: import ALL_ENTITIES and pass it as namedEntities.
    • If you only need XML‑unsafe escaping: add { encodeAllNamed: false }.
    • If you used a custom set: keep it as‑is – it already worked.
  • Run your tests – the encoder should now behave as before, but with better bundle size.

Performance

encodedecode
entities (npm)3.65 M req/s1.76 M req/s
@nodable/entities3.33 M req/s5.19 M req/s

Documentation

  • EntityEncoder — options, API, recipes
  • EntityDecoder — options, API, security limits, entity sets

License

MIT

Keywords

fast

FAQs

Package last updated on 14 Jul 2026

Did you know?

Socket

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Install

Related posts