serialize-to-js
Advanced tools
Comparing version 0.5.0 to 1.0.0
@@ -9,8 +9,12 @@ /* | ||
var sanitize = require('./internal/sanitize') | ||
/** | ||
* deserialize a serialized object to javascript | ||
* | ||
* #### Example - serializing regex, date, buffer, ... | ||
* _NOTE_: Deserialization uses `new Function()` for code evaluation which may be "harmful". | ||
* In default mode input code gets inspected, but removing `new Function, function, eval` might still not be sufficient. | ||
* *So now you are WARNED!* | ||
* | ||
* ```js | ||
* @example <caption>serializing regex, date, buffer, ...</caption> | ||
* var str = '{obj: {foo: "bar"}, arr: [1, "2"], regexp: /^test?$/, date: new Date("2016-04-15T16:22:52.009Z")}' | ||
@@ -23,10 +27,12 @@ * var res = deserialize(str) | ||
* //> date: Sat Apr 16 2016 01:22:52 GMT+0900 (JST) } | ||
* ``` | ||
* | ||
* @throws {Error|TypeError} parsing error | ||
* @param {String} str - string containing serialized data | ||
* @param {Boolean} [unsafe] - if `true` unsafe and harmful code evaluation (default=false) | ||
* @return {Any} deserialized data | ||
*/ | ||
function deserialize (str) { | ||
return (new Function('return ' + str))() | ||
function deserialize (str, unsafe) { | ||
if (!unsafe) str = sanitize(str) | ||
return (new Function('"use strict"; return ' + str))() | ||
} | ||
module.exports = deserialize |
@@ -15,5 +15,3 @@ /* | ||
* | ||
* #### Example - serializing regex, date, buffer, ... | ||
* | ||
* ```js | ||
* @example <caption>serializing regex, date, buffer, ...</caption> | ||
* var serialize = require('serialize-to-js').serialize; | ||
@@ -34,7 +32,4 @@ * var obj = { | ||
* // > {str: "\u003Cscript\u003Evar a = 0 \u003E 1\u003C\u002Fscript\u003E", num: 3.1415, bool: true, nil: null, undef: undefined, obj: {foo: "bar"}, arr: [1, "2"], regexp: /^test?$/, date: new Date("2016-04-15T16:22:52.009Z"), buffer: new Buffer('ZGF0YQ==', 'base64')} | ||
* ``` | ||
* | ||
* #### Example - serializing while respecting references | ||
* | ||
* ```js | ||
* @example <caption>serializing while respecting references</caption> | ||
* var serialize = require('serialize-to-js').serialize; | ||
@@ -48,3 +43,2 @@ * var obj = { object: { regexp: /^test?$/ } }; | ||
* //> [ [ '.reference', '.object' ] ] | ||
* ``` | ||
* | ||
@@ -51,0 +45,0 @@ * @param {Object|Array|Function|Any} source - source to serialize |
@@ -14,5 +14,3 @@ /* | ||
* | ||
* #### Example - serializing while respecting references | ||
* | ||
* ```js | ||
* @example <caption>serializing while respecting references</caption> | ||
* var serialTM = require('serialize-to-js').serializeToModule; | ||
@@ -28,3 +26,2 @@ * var obj = { object: { regexp: /^test?$/ } }; | ||
* //> m.reference = m.object | ||
* ``` | ||
* | ||
@@ -31,0 +28,0 @@ * @param {Object|Array|Function|Any} source - source to serialize |
{ | ||
"name": "serialize-to-js", | ||
"version": "0.5.0", | ||
"version": "1.0.0", | ||
"description": "serialize objects to javascript", | ||
@@ -14,2 +14,3 @@ "main": "lib", | ||
"dependencies": { | ||
"esprima": "^3.1.3", | ||
"js-beautify": "~1.6.8" | ||
@@ -19,3 +20,3 @@ }, | ||
"eslint": "^3.13.1", | ||
"eslint-config-standard": "^6.2.1", | ||
"eslint-config-standard": "^7.0.0-beta.0", | ||
"eslint-plugin-promise": "^3.4.0", | ||
@@ -28,4 +29,4 @@ "eslint-plugin-standard": "^2.0.1", | ||
"scripts": { | ||
"test": "mocha --reporter spec --check-leaks test/*.mocha.js", | ||
"cover": "istanbul cover _mocha --report lcov --report text -- --reporter dot --check-leaks test/*.mocha.js", | ||
"test": "mocha --reporter spec --check-leaks test/*.js", | ||
"cover": "istanbul cover _mocha --report lcov --report text -- --reporter dot --check-leaks test/*.js", | ||
"doc": "jsdox -o doc lib/*.js", | ||
@@ -32,0 +33,0 @@ "lint": "eslint --quiet '**/*.js'", |
@@ -101,2 +101,6 @@ # serialize-to-js | ||
> _NOTE_: Deserialization uses `new Function()` for code evaluation which may be "harmful". | ||
> In default mode input code gets inspected, but removing `new Function, function, eval` might still not be sufficient. | ||
> **SO NOW YOU ARE WARNED!** | ||
#### Example - deserializing regex, date, ... | ||
@@ -118,2 +122,4 @@ | ||
**unsafe**: `Boolean`, if `true` unsafe and harmful code evaluation (default=false) | ||
**Returns**: `Any`, deserialized data | ||
@@ -120,0 +126,0 @@ |
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
Uses eval
Supply chain riskPackage uses dynamic code execution (e.g., eval()), which is a dangerous practice. This can prevent the code from running in certain environments and increases the risk that the code may contain exploits or malicious behavior.
Found 1 instance in 1 package
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
Deprecated
MaintenanceThe maintainer of the package marked it as deprecated. This could indicate that a single version should not be used, or that the package is no longer maintained and any new vulnerabilities will not be fixed.
Found 1 instance in 1 package
No v1
QualityPackage is not semver >=1. This means it is not stable and does not support ^ ranges.
Found 1 instance in 1 package
20038
10
438
0
0
179
2
1
+ Addedesprima@^3.1.3
+ Addedesprima@3.1.3(transitive)