Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
A compression algorithm for JSON
jsonpack is a JavaScript program to pack and unpack JSON data.
It can compress to 55% of original size if the data has a recursive structure, example Earthquake GeoJSON or Twitter API.
This lib works in both Node.js and browsers (older browsers missing ES5's JSON.stringify support will need a shim).
Quick example
// big JSON
var json = {...}
// pack the big JSON
var packed = jsonpack.pack(json);
// do stuff...
// And then unpack the packed
var json = jsonpack.unpack(packed);
jsonpack can be installed via cpm, volo or npm, or simply downloaded.
Via cpm:
$ cpm install jsonpack
Via volo:
$ volo add sapienlab/jsonpack
Via npm:
$ npm install jsonpack
A object that implements the JSON.parse() and JSON.stringify() members. By default is the native JSON implemented in ECMAscript 5.
Retrieve a packed representation of the json
** Parameters **
jsonpack.pack(json, { verbose: true });
packs with verbose onlyjsonpack.pack(json, { debug: true });
packs with debug only** Returns:**
// Example in node.js, read a file with JSON content and save another file
// with the packed representation of that JSON
var jsonpack = require('jsonpack/main'),
fs = require('fs');
// read a file called myBigJSON.json and execute with
// jsonContent as the content of the file
fs.readFile('../data/bigData.json', 'utf8', function(error, jsonContent) {
// packed now is a string with the packed version of jsonContent
var packed = jsonpack.pack(jsonContent);
// save the packed in a file
fs.writeFile('../data/packed.txt', packed);
});
require(['jsonpack', 'text!../data/bigData.json'], function(jsonpack, jsonContent) {
// packed the data
var packed = jsonpack.pack(jsonContent);
// Do stuff with the packed string
console.log(packed);
});
<script src="path/to/jsonpack/main.js" />
<script>
var json = {
type : 'world',
name: 'earth',
children: [{
type: 'continent',
name: 'America',
children: [{
type : 'country',
name : 'Chile',
children: [{
type : 'commune',
name : 'Antofagasta'
}]
}]
}, {
type: 'continent',
name : 'Europe'
}]
};
var packed = jsonpack.pack(json);
console.log(packed);
// print:
// "type|world|name|earth|children|continent|America|country|Chile|commune|Antofagasta|Europe^^^$0|1|2|3|4|@$0|5|2|6|4|@$0|7|2|8|4|@$0|9|2|A]]]]]|$0|5|2|B]]]"
</script>
Unpack the data in the packed parameter
** Parameters **
** Return: ** Object, the clone of the original JSON
// Example in node.js, read a file with packed content and save another file
// with the string representation of the original JSON
var jsonpack = require('jsonpack/main'),
fs = require('fs');
// read a file called packedjson and execute with
// packed as the content of the file
fs.readFile('../data/packed.txt', 'utf8', function(error, packed) {
// data now is a JavaScript Object of the original JSON
var data = jsonpack.unpack(jsonContent);
// save the JSON in a file. data is a Javascript Object, so must be
// stringifed (and pretty print the JSON with 2 space indents).
fs.writeFile('../data/unpacked.json', JSON.stringify(data, null, 2));
});
require(['jsonpack', 'text!../data/packed'], function(jsonpack, packed) {
// unpacked the data
// json now is a clone of the original JSON
var json = jsonpack.unpack(packed);
// Do stuff with the JavaScript object
console.log(json);
});
<script src="path/to/jsonpack/main.js" />
<script>
var packed = "type|world|name|earth|children|continent|America|country|Chile|commune|Antofagasta|Europe^^^$0|1|2|3|4|@$0|5|2|6|4|@$0|7|2|8|4|@$0|9|2|A]]]]]|$0|5|2|B]]]"
// unpack the packed to a clone of the original JSON
var json = jsonpack.unpack(packed);
console.log(json);
</script>
Yes, was tested in Node.js, Chrome and Firefox.
I'm not a native English speaker, so create a issue or better a pull request for all of my grammatical errors :) As well, if you have a code issue or suggestion, create a issue, Thanks!
The icon is a generic (LGPL) icon by David Vignoni - http://www.icon-king.com/
The MIT License (MIT) Copyright (c) 2013 Rodrigo González, Sapienlab
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
FAQs
A compression algorithm for JSON
We found that jsonpack demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 2 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.