Research
Security News
Kill Switch Hidden in npm Packages Typosquatting Chalk and Chokidar
Socket researchers found several malicious npm packages typosquatting Chalk and Chokidar, targeting Node.js developers with kill switches and data theft.
The flatted npm package is a library for encoding and decoding JavaScript objects into a flat JSON format. It is particularly useful for handling circular references and complex data structures that JSON.stringify cannot handle by default.
Encoding objects with circular references
Flatted allows you to encode objects that have circular references, which would throw an error with JSON.stringify. For example, if you have an object 'circularObj' that references itself, you can use flatted.stringify(circularObj) to get a string representation of the object.
{"encoded": "flatted.stringify(circularObj)"}
Decoding flatted strings back to objects
After encoding an object with circular references using flatted, you can decode the resulting string back into an object with flatted.parse(flattedString). This will restore the circular references and give you back the original object structure.
{"decoded": "flatted.parse(flattedString)"}
CircularJSON is a JSON-like format that can encode circular structures and other complex data types. It is similar to flatted but was superseded by flatted due to its ability to handle more data types and its smaller footprint.
json-stringify-safe is a package that can stringify objects with circular references without throwing. It works by replacing circular references with a string '[Circular]'. It is similar to flatted but does not allow for reconstruction of the original object with circular references.
Social Media Photo by Matt Seymour on Unsplash
A super light (0.5K) and fast circular JSON parser, directly from the creator of CircularJSON.
Available also for PHP.
Available also for Python.
There is a standard approach to recursion and more data-types than what JSON allows, and it's part of the Structured Clone polyfill.
Beside acting as a polyfill, its @ungap/structured-clone/json
export provides both stringify
and parse
, and it's been tested for being faster than flatted, but its produced output is also smaller than flatted in general.
The @ungap/structured-clone module is, in short, a drop in replacement for flatted, but it's not compatible with flatted specialized syntax.
However, if recursion, as well as more data-types, are what you are after, or interesting for your projects/use cases, consider switching to this new module whenever you can 👍
npm i flatted
Usable via CDN or as regular module.
// ESM
import {parse, stringify, toJSON, fromJSON} from 'flatted';
// CJS
const {parse, stringify, toJSON, fromJSON} = require('flatted');
const a = [{}];
a[0].a = a;
a.push(a);
stringify(a); // [["1","0"],{"a":"0"}]
If you'd like to implicitly survive JSON serialization, these two helpers helps:
import {toJSON, fromJSON} from 'flatted';
class RecursiveMap extends Map {
static fromJSON(any) {
return new this(fromJSON(any));
}
toJSON() {
return toJSON([...this.entries()]);
}
}
const recursive = new RecursiveMap;
const same = {};
same.same = same;
recursive.set('same', same);
const asString = JSON.stringify(recursive);
const asMap = RecursiveMap.fromJSON(JSON.parse(asString));
asMap.get('same') === asMap.get('same').same;
// true
As it is for every other specialized format capable of serializing and deserializing circular data, you should never JSON.parse(Flatted.stringify(data))
, and you should never Flatted.parse(JSON.stringify(data))
.
The only way this could work is to Flatted.parse(Flatted.stringify(data))
, as it is also for CircularJSON or any other, otherwise there's no granted data integrity.
Also please note this project serializes and deserializes only data compatible with JSON, so that sockets, or anything else with internal classes different from those allowed by JSON standard, won't be serialized and unserialized as expected.
.parse(string, reviver)
and revive your own objects.space
parameter to .stringify(object, replacer, space)
for feature parity with JSON signature.All ECMAScript engines compatible with Map
, Set
, Object.keys
, and Array.prototype.reduce
will work, even if polyfilled.
While stringifying, all Objects, including Arrays, and strings, are flattened out and replaced as unique index. *
Once parsed, all indexes will be replaced through the flattened collection.
*
represented as string to avoid conflicts with numbers
// logic example
var a = [{one: 1}, {two: '2'}];
a[0].a = a;
// a is the main object, will be at index '0'
// {one: 1} is the second object, index '1'
// {two: '2'} the third, in '2', and it has a string
// which will be found at index '3'
Flatted.stringify(a);
// [["1","2"],{"one":1,"a":"0"},{"two":"3"},"2"]
// a[one,two] {one: 1, a} {two: '2'} '2'
FAQs
A super light and fast circular JSON parser.
The npm package flatted receives a total of 28,110,281 weekly downloads. As such, flatted popularity was classified as popular.
We found that flatted demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket researchers found several malicious npm packages typosquatting Chalk and Chokidar, targeting Node.js developers with kill switches and data theft.
Security News
pnpm 10 blocks lifecycle scripts by default to improve security, addressing supply chain attack risks but sparking debate over compatibility and workflow changes.
Product
Socket now supports uv.lock files to ensure consistent, secure dependency resolution for Python projects and enhance supply chain security.