You're Invited:Meet the Socket Team at BlackHat and DEF CON in Las Vegas, Aug 4-6.RSVP →
destr - npm Package Compare versions
Comparing version 1.2.0 to 1.2.1
| declare type Options = { | ||
| strict?: boolean; | ||
| }; | ||
| declare function destr(val: any, options?: Options): any; | ||
| declare function destr(value: any, options?: Options): any; | ||
| export { Options, destr as default }; |
| { | ||
| "name": "destr", | ||
| "version": "1.2.0", | ||
| "version": "1.2.1", | ||
| "description": "A faster, secure and convenient alternative for JSON.parse", | ||
@@ -23,5 +23,5 @@ "repository": "unjs/destr", | ||
| "@hapi/bourne": "^3.0.0", | ||
| "@nuxtjs/eslint-config-typescript": "^11.0.0", | ||
| "benchmark": "^2.1.4", | ||
| "eslint": "^8.25.0", | ||
| "eslint": "^8.27.0", | ||
| "eslint-config-unjs": "^0.0.2", | ||
| "secure-json-parse": "^2.5.0", | ||
@@ -32,3 +32,3 @@ "standard-version": "^9.5.0", | ||
| }, | ||
| "packageManager": "pnpm@6.34.0", | ||
| "packageManager": "pnpm@7.16.0", | ||
| "scripts": { | ||
@@ -40,4 +40,3 @@ "bench": "pnpm build && node ./bench.cjs", | ||
| "test": "pnpm lint" | ||
| }, | ||
| "readme": "# destr\n\n> A faster, secure and convenient alternative for [`JSON.parse`](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/JSON/parse):\n\n[![npm version][npm-v-src]][npm-v-href]\n[![npm downloads][npm-d-src]][npm-d-href]\n[![bundle phobia][bundlephobia-src]][bundlephobia-href]\n\n## Usage\n\n### Node.js\n\nInstall using npm or yarn:\n\n```bash\nnpm i destr\n# or\nyarn add destr\n```\n\nImport into your Node.js project:\n\n```js\n// CommonJS\nconst destr = require('destr')\n\n// ESM\nimport destr from 'destr'\n```\n\n### Deno\n\n```js\nimport destr from 'https://deno.land/x/destr/src/index.ts'\n\nconsole.log(destr('{ \"deno\": \"yay\" }'))\n```\n\n### Options\n\n`destr` allows the following options as the second argument:\n\n#### `strict`\n\nDefault: `false`\n\nIf set to `true`, `destr` will throw an error if the input is not a valid JSON string or parsing fails.\n\n```js\n// Returns \"[foo\"\ndestr('[foo')\n\n// Throws an error\ndestr('[foo', { strict: true })\n```\n\n## Why?\n\nPlease note that `destr` is little bit slower when parsing a standard JSON string mainly because of transform to avoid [prototype pollution](https://hueniverse.com/a-tale-of-prototype-poisoning-2610fa170061) which can lead to serious security issues if not being sanitized. In the other words, `destr` is better when input is not always a json string or from untrusted source like request body.\n\n**Fast fallback to input if is not string:**\n\n```js\n// Uncaught SyntaxError: Unexpected token u in JSON at position 0\nJSON.parse()\n\n// undefined\ndestr()\n```\n\n**Fast lookup for known string values:**\n\n```js\n// Uncaught SyntaxError: Unexpected token T in JSON at position 0\nJSON.parse('TRUE')\n\n// true\ndestr('TRUE')\n```\n\n**Fallback to original value if parse fails (empty or any plain string):**\n\n```js\n// Uncaught SyntaxError: Unexpected token s in JSON at position 0\nJSON.parse('salam')\n\n// \"salam\"\ndestr('salam')\n```\n\n**Avoid prototype pollution:**\n\n```js\nconst input = '{ \"user\": { \"__proto__\": { \"isAdmin\": true } } }'\n\n// { user: { __proto__: { isAdmin: true } } }\nJSON.parse(input)\n\n// { user: {} }\ndestr(input)\n```\n\n## Benchmarks\n\nLocally try with `pnpm benchmark`\n\nResults on Node.js 18.11.0 with MBA M2\n\n```\n=== Non-string fallback ==\nJSON.parse x 10,323,718 ops/sec ±0.45% (96 runs sampled)\ndestr x 1,057,268,114 ops/sec ±1.71% (90 runs sampled)\ndestr (strict) x 977,215,995 ops/sec ±1.43% (97 runs sampled)\nsjson:\n@hapi/bourne x 10,151,985 ops/sec ±0.76% (96 runs sampled)\nFastest is destr\n\n=== Known values ==\nJSON.parse x 16,359,358 ops/sec ±0.90% (92 runs sampled)\ndestr x 107,849,085 ops/sec ±0.34% (97 runs sampled)\ndestr (strict) x 107,891,427 ops/sec ±0.34% (99 runs sampled)\nsjson x 14,216,957 ops/sec ±0.98% (89 runs sampled)\n@hapi/bourne x 15,209,152 ops/sec ±1.08% (88 runs sampled)\nFastest is destr (strict),destr\n\n=== Plain string ==\nJSON.parse (try-catch) x 211,560 ops/sec ±0.84% (92 runs sampled)\ndestr x 60,315,113 ops/sec ±0.46% (98 runs sampled)\ndestr (strict):\nsjson (try-catch) x 186,492 ops/sec ±0.70% (97 runs sampled)\n@hapi/bourne:\nFastest is destr\n\n=== standard object ==\nJSON.parse x 492,180 ops/sec ±0.98% (98 runs sampled)\ndestr x 356,819 ops/sec ±0.40% (98 runs sampled)\ndestr (strict) x 412,955 ops/sec ±0.88% (94 runs sampled)\nsjson x 437,376 ops/sec ±0.42% (102 runs sampled)\n@hapi/bourne x 457,020 ops/sec ±0.81% (99 runs sampled)\nFastest is JSON.parse\n\n=== invalid syntax ==\nJSON.parse (try-catch) x 493,739 ops/sec ±0.51% (98 runs sampled)\ndestr x 405,848 ops/sec ±0.56% (100 runs sampled)\ndestr (strict) x 409,514 ops/sec ±0.57% (101 runs sampled)\nsjson (try-catch) x 435,406 ops/sec ±0.41% (100 runs sampled)\n@hapi/bourne x 467,163 ops/sec ±0.42% (99 runs sampled)\nFastest is JSON.parse (try-catch)\n```\n\n## License\n\nMIT. Made with 💖\n\n<!-- Refs -->\n[npm-v-src]: https://img.shields.io/npm/v/destr?style=flat-square\n[npm-v-href]: https://npmjs.com/package/destr\n\n[npm-d-src]: https://img.shields.io/npm/dm/destr?style=flat-square\n[npm-d-href]: https://npmjs.com/package/destr\n\n[github-actions-src]: https://img.shields.io/github/workflow/status/unjs/destr/ci/master?style=flat-square\n[github-actions-href]: https://github.com/unjs/destr/actions?query=workflow%3Aci\n\n[bundlephobia-src]: https://img.shields.io/bundlephobia/min/destr?style=flat-square\n[bundlephobia-href]: https://bundlephobia.com/result?p=destr\n" | ||
| } | ||
| } |
@@ -39,24 +39,5 @@ # destr | ||
| ### Options | ||
| `destr` allows the following options as the second argument: | ||
| #### `strict` | ||
| Default: `false` | ||
| If set to `true`, `destr` will throw an error if the input is not a valid JSON string or parsing fails. | ||
| ```js | ||
| // Returns "[foo" | ||
| destr('[foo') | ||
| // Throws an error | ||
| destr('[foo', { strict: true }) | ||
| ``` | ||
| ## Why? | ||
| Please note that `destr` is little bit slower when parsing a standard JSON string mainly because of transform to avoid [prototype pollution](https://hueniverse.com/a-tale-of-prototype-poisoning-2610fa170061) which can lead to serious security issues if not being sanitized. In the other words, `destr` is better when input is not always a json string or from untrusted source like request body. | ||
| **Fast fallback to input if is not string:** | ||
@@ -104,7 +85,19 @@ | ||
| ### Strict Mode | ||
| If `{ strict: true }` passed as second argument, `destr` will throw an error if the input is not a valid JSON string or parsing fails. (non string values and built-ins will be still returned as-is) | ||
| ```js | ||
| // Returns "[foo" | ||
| destr('[foo') | ||
| // Throws an error | ||
| destr('[foo', { strict: true }) | ||
| ``` | ||
| ## Benchmarks | ||
| Locally try with `pnpm benchmark` | ||
| Locally try with `pnpm benchmark`. Below are esults on Node.js 18.11.0 with MBA M2. | ||
| Results on Node.js 18.11.0 with MBA M2 | ||
| **Note** `destr` is sometimes little bit slower than `JSON.parse` when parsing a valid JSON string mainly because of transform to avoid [prototype pollution](https://learn.snyk.io/lessons/prototype-pollution/javascript/) which can lead to serious security issues if not being sanitized. In the other words, `destr` is better when input is not always a json string or from untrusted source like request body. | ||
@@ -111,0 +104,0 @@ ``` |
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
No alert changes
Worsened metrics
- Total package byte prevSize
9423
-32.05%- Number of lines in readme file
160
-4.19%No dependency changes