Research
Security News
Quasar RAT Disguised as an npm Package for Detecting Vulnerabilities in Ethereum Smart Contracts
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
The json5 npm package is a JSON parser and serializer that allows for comments, trailing commas, single quotes, and more. It is designed to be a more user-friendly and flexible version of JSON.
Parsing JSON5 Strings
This feature allows you to parse JSON5 strings into JavaScript objects. It supports comments, single quotes, and additional syntax that is not available in standard JSON.
{"parse": "JSON5.parse('{/*comment*/\"key\": \"value\"}')"}
Stringifying JavaScript Objects
This feature converts JavaScript objects into JSON5 strings. It can include features like trailing commas and unquoted keys, making the output more human-readable.
{"stringify": "JSON5.stringify({key: 'value'}, null, 2)"}
YAML is a human-friendly data serialization standard that can be used as an alternative to JSON. It supports comments, complex data structures, and is often used in configuration files. It is more flexible than JSON5 but uses a different syntax.
TOML is a configuration file format that is easy to read due to its clear semantics. It is similar to JSON5 in that it aims to be more user-friendly, but it has its own syntax and is often used in applications where configuration files are written and maintained by humans.
JSON5 is an extension to the popular JSON file format that aims to be easier to write and maintain by hand (e.g. for config files). It is not intended to be used for machine-to-machine communication. (Keep using JSON or other file formats for that. 🙂)
JSON5 was started in 2012, and as of 2022, now gets >65M downloads/week, ranks in the top 0.1% of the most depended-upon packages on npm, and has been adopted by major projects like Chromium, Next.js, Babel, Retool, WebStorm, and more. It's also natively supported on Apple platforms like MacOS and iOS.
Formally, the JSON5 Data Interchange Format is a superset of JSON (so valid JSON files will always be valid JSON5 files) that expands its syntax to include some productions from ECMAScript 5.1 (ES5). It's also a strict subset of ES5, so valid JSON5 files will always be valid ES5.
This JavaScript library is a reference implementation for JSON5 parsing and serialization, and is directly used in many of the popular projects mentioned above (where e.g. extreme performance isn't necessary), but others have created many other libraries across many other platforms.
The following ECMAScript 5.1 features, which are not supported in JSON, have been extended to JSON5.
Kitchen-sink example:
{
// comments
unquoted: 'and you can quote me on that',
singleQuotes: 'I can use "double quotes" here',
lineBreaks: "Look, Mom! \
No \\n's!",
hexadecimal: 0xdecaf,
leadingDecimalPoint: .8675309, andTrailing: 8675309.,
positiveSign: +1,
trailingComma: 'in objects', andIn: ['arrays',],
"backwardsCompatible": "with JSON",
}
A more real-world example is this config file from the Chromium/Blink project.
For a detailed explanation of the JSON5 format, please read the official specification.
npm install json5
const JSON5 = require('json5')
import JSON5 from 'json5'
<!-- This will create a global `JSON5` variable. -->
<script src="https://unpkg.com/json5@2/dist/index.min.js"></script>
<script type="module">
import JSON5 from 'https://unpkg.com/json5@2/dist/index.min.mjs'
</script>
The JSON5 API is compatible with the JSON API.
Parses a JSON5 string, constructing the JavaScript value or object described by the string. An optional reviver function can be provided to perform a transformation on the resulting object before it is returned.
JSON5.parse(text[, reviver])
text
: The string to parse as JSON5.reviver
: If a function, this prescribes how the value originally produced by
parsing is transformed, before being returned.The object corresponding to the given JSON5 text.
Converts a JavaScript value to a JSON5 string, optionally replacing values if a replacer function is specified, or optionally including only the specified properties if a replacer array is specified.
JSON5.stringify(value[, replacer[, space]])
JSON5.stringify(value[, options])
value
: The value to convert to a JSON5 string.replacer
: A function that alters the behavior of the stringification
process, or an array of String and Number objects that serve as a whitelist
for selecting/filtering the properties of the value object to be included in
the JSON5 string. If this value is null or not provided, all properties of the
object are included in the resulting JSON5 string.space
: A String or Number object that's used to insert white space into the
output JSON5 string for readability purposes. If this is a Number, it
indicates the number of space characters to use as white space; this number is
capped at 10 (if it is greater, the value is just 10). Values less than 1
indicate that no space should be used. If this is a String, the string (or the
first 10 characters of the string, if it's longer than that) is used as white
space. If this parameter is not provided (or is null), no white space is used.
If white space is used, trailing commas will be used in objects and arrays.options
: An object with the following properties:
replacer
: Same as the replacer
parameter.space
: Same as the space
parameter.quote
: A String representing the quote character to use when serializing
strings.A JSON5 string representing the value.
require()
JSON5 filesWhen using Node.js, you can require()
JSON5 files by adding the following
statement.
require('json5/lib/register')
Then you can load a JSON5 file with a Node.js require()
statement. For
example:
const config = require('./config.json5')
Since JSON is more widely used than JSON5, this package includes a CLI for converting JSON5 to JSON and for validating the syntax of JSON5 documents.
npm install --global json5
json5 [options] <file>
If <file>
is not provided, then STDIN is used.
-s
, --space
: The number of spaces to indent or t
for tabs-o
, --out-file [file]
: Output to the specified file, otherwise STDOUT-v
, --validate
: Validate JSON5 but do not output JSON-V
, --version
: Output the version number-h
, --help
: Output usage informationgit clone https://github.com/json5/json5
cd json5
npm install
When contributing code, please write relevant tests and run npm test
and npm run lint
before submitting pull requests. Please use an editor that supports
EditorConfig.
To report bugs or request features regarding the JSON5 data format, please submit an issue to the official specification repository.
Note that we will never add any features that make JSON5 incompatible with ES5; that compatibility is a fundamental premise of JSON5.
To report bugs or request features regarding this JavaScript implementation of JSON5, please submit an issue to this repository.
To report a security vulnerability, please follow the follow the guidelines described in our security policy.
MIT. See LICENSE.md for details.
Aseem Kishore founded this project. He wrote a blog post about the journey and lessons learned 10 years in.
Michael Bolin independently arrived at and published some of these same ideas with awesome explanations and detail. Recommended reading: Suggested Improvements to JSON
Douglas Crockford of course designed and built JSON, but his state machine diagrams on the JSON website, as cheesy as it may sound, gave us motivation and confidence that building a new parser to implement these ideas was within reach! The original implementation of JSON5 was also modeled directly off of Doug’s open-source json_parse.js parser. We’re grateful for that clean and well-documented code.
Max Nanasy has been an early and prolific supporter, contributing multiple patches and ideas.
Andrew Eisenberg contributed the original
stringify
method.
Jordan Tucker has aligned JSON5 more closely with ES5, wrote the official JSON5 specification, completely rewrote the codebase from the ground up, and is actively maintaining this project.
v2.2.3 [[code][c2.2.3], [diff][d2.2.3]]
FAQs
JSON for Humans
The npm package json5 receives a total of 70,712,005 weekly downloads. As such, json5 popularity was classified as popular.
We found that json5 demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 2 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
Security News
Research
A supply chain attack on Rspack's npm packages injected cryptomining malware, potentially impacting thousands of developers.
Research
Security News
Socket researchers discovered a malware campaign on npm delivering the Skuld infostealer via typosquatted packages, exposing sensitive data.