serialize-to-js - npm Package Compare versions

serialize-to-js

Advanced tools

Install Socket

Detect and block malicious and high-risk dependencies

Comparing version 1.0.0 to 1.1.0

lib/deserialize.js

		/*
		* @copyright 2016 commenthol
		* @copyright 2016- commenthol
		* @license MIT
		@@ -9,3 +9,3 @@ */

		var sanitize = require('./internal/sanitize')
		var saferEval = require('safer-eval')

		@@ -15,4 +15,3 @@ /**
		*
		* _NOTE_: Deserialization uses `new Function()` for code evaluation which may be "harmful".
		* In default mode input code gets inspected, but removing `new Function, function, eval` might still not be sufficient.
		* _NOTE_: Deserialization uses `safer-eval` for code evaluation which may be "harmful".
		* So now you are WARNED!
		@@ -31,9 +30,11 @@ *
		* @param {String} str - string containing serialized data
		* @param {Boolean} [unsafe] - if `true` unsafe and harmful code evaluation (default=false)
		* @param {Object\|Boolean} [context] - pass context - if `true` unsafe execution
		* @return {Any} deserialized data
		*/
		function deserialize (str, unsafe) {
		if (!unsafe) str = sanitize(str)
		return (new Function('"use strict"; return ' + str))()
		function deserialize (str, context) {
		if (context === true) {
		return (new Function('"use strict"; return ' + str))() // unsafe execution
		}
		return saferEval(str, context)
		}
		module.exports = deserialize

lib/internal/reference.js

lib/internal/utils.js

		@@ -94,15 +94,6 @@ /* eslint

		TYPED_ARRAYS.forEach(function (i) {
		var fn = new Function('arg', 'return (arg instanceof ' + i + ')')
		exports['is' + i] = function (arg) {
		return fn(arg)
		}
		})

		function isTypedArray (arg) {
		for (var i in TYPED_ARRAYS) {
		var type = TYPED_ARRAYS[i]
		if (exports['is' + type](arg)) {
		return type
		}
		var type = toType(arg)
		if (TYPED_ARRAYS.indexOf(type) !== -1) {
		return type
		}
		@@ -115,1 +106,5 @@ }
		}

		function toType (o) {
		return objectToString(o).replace(/^\[object (.*)\]$/, '$1')
		}

lib/serialize.js

lib/serializeToModule.js

package.json

		{
		"name": "serialize-to-js",
		"version": "1.0.0",
		"version": "1.1.0",
		"description": "serialize objects to javascript",
		"main": "lib",
		"engines": {
		"node": ">=0.8.0"
		"node": ">=4.0.0"
		},
		@@ -14,4 +14,4 @@ "directories": {
		"dependencies": {
		"esprima": "^3.1.3",
		"js-beautify": "~1.6.8"
		"js-beautify": "~1.6.8",
		"safer-eval": "^1.2.0"
		},
		@@ -28,3 +28,3 @@ "devDependencies": {
		"scripts": {
		"test": "mocha --reporter spec --check-leaks test/*.js",
		"test": "mocha test/*.js",
		"cover": "istanbul cover _mocha --report lcov --report text -- --reporter dot --check-leaks test/*.js",
		@@ -31,0 +31,0 @@ "doc": "jsdox -o doc lib/*.js",

README.md

		@@ -97,3 +97,3 @@ # serialize-to-js

		`deserialize(str)`
		`deserialize(str, [context])`

		@@ -103,5 +103,6 @@ deserialize a serialized object to javascript
		> _NOTE_: Deserialization uses `new Function()` for code evaluation which may be "harmful".
		> In default mode input code gets inspected, but removing `new Function, function, eval` might still not be sufficient.
		> SO NOW YOU ARE WARNED!

		Uses [safer-eval][] for deserialization.

		#### Example - deserializing regex, date, ...
		@@ -123,3 +124,3 @@

		unsafe: `Boolean`, if `true` unsafe and harmful code evaluation (default=false)
		context: (optional) pass context e.g. if requiring Buffer use `{Buffer: Buffer}`.

		@@ -182,1 +183,2 @@ Returns: `Any`, deserialized data
		[LICENSE]: ./LICENSE
		[safer-eval]: https://github.com/commenthol/safer-eval

lib/internal/sanitize.js

Improved metrics