Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
The bson npm package is a library that allows you to serialize and deserialize data in BSON format. BSON, short for Binary JSON, is a binary-encoded serialization of JSON-like documents. It is designed to be efficient in both storage space and scan-speed. The bson package is commonly used when working with MongoDB, as MongoDB uses BSON as its document storage format.
Serialization
This feature allows you to convert a JavaScript object into a BSON formatted buffer. This is useful for storing and transmitting data in a compact binary form.
{"const BSON = require('bson'); const bson = new BSON(); const doc = { hello: 'world' }; const data = bson.serialize(doc); console.log(data); // <Buffer 16 00 00 00 02 68 65 6c 6c 6f 00 06 00 00 00 77 6f 72 6c 64 00 00>"}
Deserialization
This feature allows you to convert BSON data back into a JavaScript object. This is useful when you need to read data that was stored or transmitted in BSON format.
{"const BSON = require('bson'); const bson = new BSON(); const data = Buffer.from('160000000268656c6c6f0006000000776f726c640000', 'hex'); const doc = bson.deserialize(data); console.log(doc); // { hello: 'world' }"}
msgpack5 is a package that implements the MessagePack serialization format. MessagePack is an efficient binary serialization format that is similar to BSON but is not tied to MongoDB. It aims to be more compact and faster than JSON.
protobufjs is a package that allows you to serialize and deserialize data using Google's Protocol Buffers. Protocol Buffers are similar to BSON in that they provide a way to encode structured data in an efficient binary format, but they require a predefined schema and are more focused on cross-language compatibility.
cbor is a package that implements the CBOR (Concise Binary Object Representation) data format. Like BSON, CBOR is a binary format that can serialize and deserialize JavaScript objects. However, CBOR is designed to be more compact and to have a wider range of data types than BSON.
BSON is short for "Binary JSON," and is the binary-encoded serialization of JSON-like documents. You can learn more about it in the specification.
This browser version of the BSON parser is compiled using rollup and the current version is pre-compiled in the dist
directory.
This is the default BSON parser, however, there is a C++ Node.js addon version as well that does not support the browser. It can be found at mongod-js/bson-ext.
Think you've found a bug? Want to see a new feature in bson
? Please open a case in our issue management tool, JIRA:
Bug reports in JIRA for all driver projects (i.e. NODE, PYTHON, CSHARP, JAVA) and the Core Server (i.e. SERVER) project are public.
To build a new version perform the following operations:
npm install
npm run build
A simple example of how to use BSON in Node.js
:
const BSON = require('bson');
const Long = BSON.Long;
// Serialize a document
const doc = { long: Long.fromNumber(100) };
const data = BSON.serialize(doc);
console.log('data:', data);
// Deserialize the resulting Buffer
const doc_2 = BSON.deserialize(data);
console.log('doc_2:', doc_2);
If you are not using a bundler like webpack, you can include dist/bson.bundle.js
using a script tag. It includes polyfills for built-in node types like Buffer
.
<script src="./dist/bson.bundle.js"></script>
<script>
function start() {
// Get the Long type
const Long = BSON.Long;
// Serialize a document
const doc = { long: Long.fromNumber(100) }
const data = BSON.serialize(doc);
console.log('data:', data);
// De serialize it again
const doc_2 = BSON.deserialize(data);
console.log('doc_2:', doc_2);
}
</script>
If using webpack, you can use your normal import/require syntax of your project to pull in the bson
library.
ES6 Example:
import { Long, serialize, deserialize } from 'bson';
// Serialize a document
const doc = { long: Long.fromNumber(100) };
const data = serialize(doc);
console.log('data:', data);
// De serialize it again
const doc_2 = deserialize(data);
console.log('doc_2:', doc_2);
ES5 Example:
const BSON = require('bson');
const Long = BSON.Long;
// Serialize a document
const doc = { long: Long.fromNumber(100) };
const data = BSON.serialize(doc);
console.log('data:', data);
// Deserialize the resulting Buffer
const doc_2 = BSON.deserialize(data);
console.log('doc_2:', doc_2);
Depending on your settings, webpack will under the hood resolve to one of the following:
dist/bson.browser.esm.js
If your project is in the browser and using ES6 modules (Default for webworker
and web
targets)dist/bson.browser.umd.js
If your project is in the browser and not using ES6 modulesdist/bson.esm.js
If your project is in Node.js and using ES6 modules (Default for node
targets)lib/bson.js
(the normal include path) If your project is in Node.js and not using ES6 modulesFor more information, see this page on webpack's resolve.mainFields
and the package.json
for this project
Starting with Angular 6, Angular CLI removed the shim for global
and other node built-in variables (original comment here). If you are using BSON with Angular, you may need to add the following shim to your polyfills.ts
file:
// In polyfills.ts
(window as any).global = window;
npm install bson
object
Sets the size of the internal serialization buffer.
Buffer
Serialize a Javascript object.
Number
Serialize a Javascript object using a predefined Buffer and index into the buffer, useful when pre-allocating the space for serialization.
Object
Deserialize data as BSON.
Number
Calculate the bson size for a passed in Javascript object.
Number
Deserialize stream data as BSON documents.
Param | Type | Default | Description |
---|---|---|---|
text | string | ||
[options] | object | Optional settings | |
[options.relaxed] | boolean | true | Attempt to return native JS types where possible, rather than BSON types (if true) |
Parse an Extended JSON string, constructing the JavaScript value or object described by that string.
Example
const { EJSON } = require('bson');
const text = '{ "int32": { "$numberInt": "10" } }';
// prints { int32: { [String: '10'] _bsontype: 'Int32', value: '10' } }
console.log(EJSON.parse(text, { relaxed: false }));
// prints { int32: 10 }
console.log(EJSON.parse(text));
Param | Type | Default | Description |
---|---|---|---|
value | object | The value to convert to extended JSON | |
[replacer] | function | array | A function that alters the behavior of the stringification process, or an array of String and Number objects that serve as a whitelist for selecting/filtering the properties of the value object to be included in the JSON string. If this value is null or not provided, all properties of the object are included in the resulting JSON string | |
[space] | string | number | A String or Number object that's used to insert white space into the output JSON string for readability purposes. | |
[options] | object | Optional settings | |
[options.relaxed] | boolean | true | Enabled Extended JSON's relaxed mode |
[options.legacy] | boolean | true | Output in Extended JSON v1 |
Converts a BSON document to an Extended JSON string, optionally replacing values if a replacer function is specified or optionally including only the specified properties if a replacer array is specified.
Example
const { EJSON } = require('bson');
const Int32 = require('mongodb').Int32;
const doc = { int32: new Int32(10) };
// prints '{"int32":{"$numberInt":"10"}}'
console.log(EJSON.stringify(doc, { relaxed: false }));
// prints '{"int32":10}'
console.log(EJSON.stringify(doc));
Param | Type | Description |
---|---|---|
bson | object | The object to serialize |
[options] | object | Optional settings passed to the stringify function |
Serializes an object to an Extended JSON string, and reparse it as a JavaScript object.
Param | Type | Description |
---|---|---|
ejson | object | The Extended JSON object to deserialize |
[options] | object | Optional settings passed to the parse method |
Deserializes an Extended JSON object into a plain JavaScript object with native/BSON types
Param | Type | Description |
---|---|---|
size | number | The desired size for the internal serialization buffer |
Sets the size of the internal serialization buffer.
Param | Type | Default | Description |
---|---|---|---|
object | Object | the Javascript object to serialize. | |
[options.checkKeys] | Boolean | the serializer will check if keys are valid. | |
[options.serializeFunctions] | Boolean | false | serialize the javascript functions (default:false). |
[options.ignoreUndefined] | Boolean | true | ignore undefined fields (default:true). |
Serialize a Javascript object.
Returns: Buffer
- returns the Buffer object containing the serialized object.
Param | Type | Default | Description |
---|---|---|---|
object | Object | the Javascript object to serialize. | |
buffer | Buffer | the Buffer you pre-allocated to store the serialized BSON object. | |
[options.checkKeys] | Boolean | the serializer will check if keys are valid. | |
[options.serializeFunctions] | Boolean | false | serialize the javascript functions (default:false). |
[options.ignoreUndefined] | Boolean | true | ignore undefined fields (default:true). |
[options.index] | Number | the index in the buffer where we wish to start serializing into. |
Serialize a Javascript object using a predefined Buffer and index into the buffer, useful when pre-allocating the space for serialization.
Returns: Number
- returns the index pointing to the last written byte in the buffer.
Param | Type | Default | Description |
---|---|---|---|
buffer | Buffer | the buffer containing the serialized set of BSON documents. | |
[options.evalFunctions] | Object | false | evaluate functions in the BSON document scoped to the object deserialized. |
[options.cacheFunctions] | Object | false | cache evaluated functions for reuse. |
[options.cacheFunctionsCrc32] | Object | false | use a crc32 code for caching, otherwise use the string of the function. |
[options.promoteLongs] | Object | true | when deserializing a Long will fit it into a Number if it's smaller than 53 bits |
[options.promoteBuffers] | Object | false | when deserializing a Binary will return it as a node.js Buffer instance. |
[options.promoteValues] | Object | false | when deserializing will promote BSON values to their Node.js closest equivalent types. |
[options.fieldsAsRaw] | Object |
| allow to specify if there what fields we wish to return as unserialized raw buffer. |
[options.bsonRegExp] | Object | false | return BSON regular expressions as BSONRegExp instances. |
[options.allowObjectSmallerThanBufferSize] | boolean | false | allows the buffer to be larger than the parsed BSON object |
Deserialize data as BSON.
Returns: Object
- returns the deserialized Javascript Object.
Param | Type | Default | Description |
---|---|---|---|
object | Object | the Javascript object to calculate the BSON byte size for. | |
[options.serializeFunctions] | Boolean | false | serialize the javascript functions (default:false). |
[options.ignoreUndefined] | Boolean | true | ignore undefined fields (default:true). |
Calculate the bson size for a passed in Javascript object.
Returns: Number
- returns the number of bytes the BSON object will take up.
Param | Type | Default | Description |
---|---|---|---|
data | Buffer | the buffer containing the serialized set of BSON documents. | |
startIndex | Number | the start index in the data Buffer where the deserialization is to start. | |
numberOfDocuments | Number | number of documents to deserialize. | |
documents | Array | an array where to store the deserialized documents. | |
docStartIndex | Number | the index in the documents array from where to start inserting documents. | |
[options] | Object | additional options used for the deserialization. | |
[options.evalFunctions] | Object | false | evaluate functions in the BSON document scoped to the object deserialized. |
[options.cacheFunctions] | Object | false | cache evaluated functions for reuse. |
[options.cacheFunctionsCrc32] | Object | false | use a crc32 code for caching, otherwise use the string of the function. |
[options.promoteLongs] | Object | true | when deserializing a Long will fit it into a Number if it's smaller than 53 bits |
[options.promoteBuffers] | Object | false | when deserializing a Binary will return it as a node.js Buffer instance. |
[options.promoteValues] | Object | false | when deserializing will promote BSON values to their Node.js closest equivalent types. |
[options.fieldsAsRaw] | Object |
| allow to specify if there what fields we wish to return as unserialized raw buffer. |
[options.bsonRegExp] | Object | false | return BSON regular expressions as BSONRegExp instances. |
Deserialize stream data as BSON documents.
Returns: Number
- returns the next index in the buffer after deserialization x numbers of documents.
undefined
get converted to null
?The undefined
BSON type has been deprecated for many years, so this library has dropped support for it. Use the ignoreUndefined
option (for example, from the driver ) to instead remove undefined
keys.
This library looks for toBSON()
functions on every path, and calls the toBSON()
function to get the value to serialize.
const BSON = require('bson');
class CustomSerialize {
toBSON() {
return 42;
}
}
const obj = { answer: new CustomSerialize() };
// "{ answer: 42 }"
console.log(BSON.deserialize(BSON.serialize(obj)));
FAQs
A bson parser for node.js and the browser
We found that bson demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 8 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.