Research
/Security News
11 Malicious Go Packages Distribute Obfuscated Remote Payloads
Socket uncovered 11 malicious Go packages using obfuscated loaders to fetch and execute second-stage payloads via C2 domains.
By Olivia Brown - Aug 06, 2025
You're Invited:Meet the Socket Team at BlackHat and DEF CON in Las Vegas, Aug 4-6.RSVP →
stable-hash-x
Advanced tools
stable-hash-x
A tiny and fast (600B unpkg) lib for "stably hashing" a JavaScript value, works with cross-realm objects. Originally created for SWR by Shu Ding at stable-hash, we forked it because the original one is a bit out of maintenance for a long time.
It's similar to JSON.stringify(value), but:
- Supports any JavaScript value (
BigInt,NaN,Symbol,function,class, ...) - Sorts object keys (stable)
- Supports circular objects
TOC
Use
yarn add stable-hash-x
import { hash } from 'stable-hash-x'
hash(anyJavaScriptValueHere) // returns a string
hash(anyJavaScriptValueHere, true) // if you're running in cross-realm environment, it's disabled by default for performance
Examples
Primitive Value
hash(1)
hash('foo')
hash(true)
hash(undefined)
hash(null)
hash(NaN)
BigInt:
hash(1) === hash(1n)
hash(1) !== hash(2n)
Symbol:
hash(Symbol.for('foo')) === hash(Symbol.for('foo'))
hash(Symbol.for('foo')) === hash(Symbol('foo'))
hash(Symbol('foo')) === hash(Symbol('foo'))
hash(Symbol('foo')) !== hash(Symbol('bar'))
Since Symbols cannot be serialized, stable-hash-x simply uses its description as the hash.
Regex
hash(/foo/) === hash(/foo/)
hash(/foo/) !== hash(/bar/)
Date
hash(new Date(1)) === hash(new Date(1))
Array
hash([1, '2', [new Date(3)]]) === hash([1, '2', [new Date(3)]])
hash([1, 2]) !== hash([2, 1])
Circular:
const foo = []
foo.push(foo)
hash(foo) === hash(foo)
Object
hash({ foo: 'bar' }) === hash({ foo: 'bar' })
hash({ foo: { bar: 1 } }) === hash({ foo: { bar: 1 } })
Stable:
hash({ a: 1, b: 2, c: 3 }) === hash({ c: 3, b: 2, a: 1 })
Circular:
const foo = {}
foo.foo = foo
hash(foo) === hash(foo)
Function, Class, Set, Map, Buffer...
stable-hash-x guarantees reference consistency (===) for objects that the constructor isn't Object.
const foo = () => {}
hash(foo) === hash(foo)
hash(foo) !== hash(() => {})
class Foo {}
hash(Foo) === hash(Foo)
hash(Foo) !== hash(class {})
const foo = new Set([1])
hash(foo) === hash(foo)
hash(foo) !== hash(new Set([1]))
Cross-realm
import { runInNewContext } from 'node:vm'
const obj1 = {
a: 1,
b: new Date('2022-06-25T01:55:27.743Z'),
c: /test/,
f: Symbol('test'),
}
const obj2 = runInNewContext(`({
a: 1,
b: new Date('2022-06-25T01:55:27.743Z'),
c: /test/,
f: Symbol('test'),
})`)
obj1 === obj2 // false
hash(obj1) === hash(obj2, true) // true
Benchmark
┌─────────┬────────────────────────────────┬──────────────────┬───────────────────┬────────────────────────┬────────────────────────┬─────────┐
│ (index) │ Task name │ Latency avg (ns) │ Latency med (ns) │ Throughput avg (ops/s) │ Throughput med (ops/s) │ Samples │
├─────────┼────────────────────────────────┼──────────────────┼───────────────────┼────────────────────────┼────────────────────────┼─────────┤
│ 0 │ 'stable-hash-x' │ '7877.4 ± 1.57%' │ '7042.0 ± 167.00' │ '138708 ± 0.05%' │ '142005 ± 3449' │ 126975 │
│ 1 │ 'hash-object' │ '17632 ± 0.73%' │ '16708 ± 458.00' │ '58820 ± 0.07%' │ '59852 ± 1600' │ 56716 │
│ 2 │ 'json-stringify-deterministic' │ '10901 ± 0.83%' │ '10250 ± 250.00' │ '95860 ± 0.05%' │ '97561 ± 2439' │ 91739 │
│ 3 │ 'stable-hash' │ '8318.5 ± 3.27%' │ '7042.0 ± 208.00' │ '138347 ± 0.06%' │ '142005 ± 4074' │ 120214 │
└─────────┴────────────────────────────────┴──────────────────┴───────────────────┴────────────────────────┴────────────────────────┴─────────┘
Notes
This function does something similar to JSON.stringify, but more than it. It doesn't generate a secure checksum, which usually has a fixed length and is hard to be reversed. With stable-hash-x it's still possible to get the original data. Also, the output might include any charaters, not just alphabets and numbers like other hash algorithms. So:
- Use another encoding layer on top of it if you want to display the output.
- Use another crypto layer on top of it if you want to have a secure and fixed length hash.
import crypto from 'node:crypto'
import { hash } from 'stable-hash-x'
const weakHash = hash(anyJavaScriptValueHere)
const encodedHash = Buffer.from(weakHash).toString('base64')
const safeHash = crypto.createHash('MD5').update(weakHash).digest('hex')
Also, the consistency of this lib is sometimes guaranteed by the singularity of the WeakMap instance. So it might not generate the consistent results when running in different runtimes, e.g. server/client or parent/worker scenarios.
Sponsors and Backers
Sponsors
| 1stG | RxTS | UnRS | UnTS |
|---|---|---|---|
 |  |  |  |
Backers
| 1stG | RxTS | UnRS | UnTS |
|---|---|---|---|
 |  |  |  |
Changelog
Detailed changes for each release are documented in CHANGELOG.md.
License
Originally created by Shu Ding.
FAQs
Stable JS value hash.
The npm package stable-hash-x receives a total of 1,512,824 weekly downloads. As such, stable-hash-x popularity was classified as popular.
We found that stable-hash-x demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Package last updated on 25 Jun 2025
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Related posts
Security News
TC39 Advances 11 Proposals for Math Precision, Binary APIs, and More
TC39 advances 11 JavaScript proposals, with two moving to Stage 4, bringing better math, binary APIs, and more features one step closer to the ECMAScript spec.
By Sarah Gooding - Aug 06, 2025
Research
/Security News
Critical Vulnerability in NestJS Devtools: Localhost RCE via Sandbox Escape
A flawed sandbox in @nestjs/devtools-integration lets attackers run code on your machine via CSRF, leading to full Remote Code Execution (RCE).
By Jonathan Leitschuh - Aug 01, 2025