serialize-to-js - npm Package Compare versions

Comparing version 0.5.0 to 1.0.0

lib/deserialize.js

@@ -9,8 +9,12 @@ /*
 
+var sanitize = require('./internal/sanitize')
+
 /**
  * deserialize a serialized object to javascript
  *
- * #### Example - serializing regex, date, buffer, ...
+ * _NOTE_: Deserialization uses `new Function()` for code evaluation which may be "harmful".
+ * In default mode input code gets inspected, but removing `new Function, function, eval` might still not be sufficient.
+ * *So now you are WARNED!*
  *
- * ```js
+ * @example <caption>serializing regex, date, buffer, ...</caption>
  * var str = '{obj: {foo: "bar"}, arr: [1, "2"], regexp: /^test?$/, date: new Date("2016-04-15T16:22:52.009Z")}'
@@ -23,10 +27,12 @@ * var res = deserialize(str)
  * //>   date: Sat Apr 16 2016 01:22:52 GMT+0900 (JST) }
- * ```
  *
+ * @throws {Error|TypeError} parsing error
  * @param {String} str - string containing serialized data
+ * @param {Boolean} [unsafe] - if `true` unsafe and harmful code evaluation (default=false)
  * @return {Any} deserialized data
  */
-function deserialize (str) {
-  return (new Function('return ' + str))()
+function deserialize (str, unsafe) {
+  if (!unsafe) str = sanitize(str)
+  return (new Function('"use strict"; return ' + str))()
 }
 module.exports = deserialize

lib/serialize.js

@@ -15,5 +15,3 @@ /*
  *
- * #### Example - serializing regex, date, buffer, ...
- *
- * ```js
+ * @example <caption>serializing regex, date, buffer, ...</caption>
  * var serialize = require('serialize-to-js').serialize;
@@ -34,7 +32,4 @@ * var obj = {
  * // > {str: "\u003Cscript\u003Evar a = 0 \u003E 1\u003C\u002Fscript\u003E", num: 3.1415, bool: true, nil: null, undef: undefined, obj: {foo: "bar"}, arr: [1, "2"], regexp: /^test?$/, date: new Date("2016-04-15T16:22:52.009Z"), buffer: new Buffer('ZGF0YQ==', 'base64')}
- * ```
  *
- * #### Example - serializing while respecting references
- *
- * ```js
+ * @example <caption>serializing while respecting references</caption>
  * var serialize = require('serialize-to-js').serialize;
@@ -48,3 +43,2 @@ * var obj = { object: { regexp: /^test?$/ } };
  * //> [ [ '.reference', '.object' ] ]
- * ```
  *
@@ -51,0 +45,0 @@ * @param {Object|Array|Function|Any} source - source to serialize

lib/serializeToModule.js

@@ -14,5 +14,3 @@ /*
  *
- * #### Example - serializing while respecting references
- *
- * ```js
+ * @example <caption>serializing while respecting references</caption>
  * var serialTM = require('serialize-to-js').serializeToModule;
@@ -28,3 +26,2 @@ * var obj = { object: { regexp: /^test?$/ } };
  * //> m.reference = m.object
- * ```
  *
@@ -31,0 +28,0 @@ * @param {Object|Array|Function|Any} source - source to serialize

package.json

 {
   "name": "serialize-to-js",
-  "version": "0.5.0",
+  "version": "1.0.0",
   "description": "serialize objects to javascript",
@@ -14,2 +14,3 @@ "main": "lib",
   "dependencies": {
+    "esprima": "^3.1.3",
     "js-beautify": "~1.6.8"
@@ -19,3 +20,3 @@ },
     "eslint": "^3.13.1",
-    "eslint-config-standard": "^6.2.1",
+    "eslint-config-standard": "^7.0.0-beta.0",
     "eslint-plugin-promise": "^3.4.0",
@@ -28,4 +29,4 @@ "eslint-plugin-standard": "^2.0.1",
   "scripts": {
-    "test": "mocha --reporter spec --check-leaks test/*.mocha.js",
-    "cover": "istanbul cover _mocha --report lcov --report text -- --reporter dot --check-leaks test/*.mocha.js",
+    "test": "mocha --reporter spec --check-leaks test/*.js",
+    "cover": "istanbul cover _mocha --report lcov --report text -- --reporter dot --check-leaks test/*.js",
     "doc": "jsdox -o doc lib/*.js",
@@ -32,0 +33,0 @@ "lint": "eslint --quiet '**/*.js'",

README.md

@@ -101,2 +101,6 @@ # serialize-to-js
 
+> _NOTE_: Deserialization uses `new Function()` for code evaluation which may be "harmful".
+> In default mode input code gets inspected, but removing `new Function, function, eval` might still not be sufficient.  
+> **SO NOW YOU ARE WARNED!**
+
 #### Example - deserializing regex, date, ...
@@ -118,2 +122,4 @@
 
+**unsafe**: `Boolean`, if `true` unsafe and harmful code evaluation (default=false)
+
 **Returns**: `Any`, deserialized data
@@ -120,0 +126,0 @@

New alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Uses eval

Supply chain risk

Package uses dynamic code execution (e.g., eval()), which is a dangerous practice. This can prevent the code from running in certain environments and increases the risk that the code may contain exploits or malicious behavior.

Found 1 instance in 1 package

Fixed alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Deprecated

Maintenance

The maintainer of the package marked it as deprecated. This could indicate that a single version should not be used, or that the package is no longer maintained and any new vulnerabilities will not be fixed.

Found 1 instance in 1 package

No v1

Quality

Package is not semver >=1. This means it is not stable and does not support ^ ranges.

Found 1 instance in 1 package

Improved metrics

Total package byte prevSize

20038

increased by10.36%

Number of package files

10

increased by11.11%

Lines of code

438

increased by8.15%

Number of medium maintenance alerts

0

decreased by-100%

Number of low quality alerts

0

decreased by-100%

Number of lines in readme file

179

increased by3.47%

Worsened metrics

Dependency count

2

increased by100%

Number of medium supply chain risk alerts

1

increased byInfinity%

Dependency changes

• + Addedesprima@^3.1.3

• + Addedesprima@3.1.3(transitive)