npmpackage.info

Gathering detailed insights and metrics for secure-json-parse

Other packages similar to secure-json-parse

@types/secure-json-parse

1.0.5

TypeScript definitions for secure-json-parse

@supercharge/json

2.0.0

Secure drop-in replacement for the global `JSON` object

ld-jsonstream

3.0.0

Simple and secure newline delimited JSON stream parser

@bobyzgirlllnpm/quas-aspernatur-assumenda

1.0.0

A lean, zero dependency library to provide a useful base for your project. Checksums, cryptography, codecs, date-times, error-checking-codes, logging, pseudorandom number generation. The tools you need for any project. Secure build pipeline, provenance

Gathering detailed insights and metrics for secure-json-parse

secure-json-parse - 4.0.0 | npmpackage.info

secure-json-parse

JSON.parse() drop-in replacement with prototype poisoning protection

4.0.0

237

NOASSERTION

JavaScript

41.06 kB

6.9

Installations

npm install secure-json-parse

Developer Guide

BETA

Typescript

Yes

Module System

CommonJS

Node Version

20.18.1

NPM Version

10.8.2 Pull Requests

Open

0

Total

135

Closed

15

Merged

120

Issues

Open

0

Total

10

Closed

10

Releases

v4.0.0

Updated on Mar 09, 2025

v3.0.2

Updated on Jan 03, 2025

v3.0.1

Updated on Nov 18, 2024

v3.0.0

Updated on Sep 03, 2024

v2.7.0

Updated on Jan 10, 2023

v2.6.0

Updated on Dec 05, 2022

View All 15 releases

Languages

JavaScript

TypeScript

JavaScript (95.68%)

TypeScript (4.32%)

Developer

fastify

Download Statistics

Total Downloads

Last Day

Last Week

Last Month

Last Year

GitHub Statistics

NOASSERTION License

237 Stars

198 Commits

18 Forks

13 Watchers

2 Branches

31 Contributors

Updated on Jun 23, 2025

Sponsor this package

https://github.com/sponsors/fastify https://opencollective.com/fastify

Maintainers

View All 31 Contributors

Package Meta Information

Latest Version

4.0.0

Package Id

secure-json-parse@4.0.0

Unpacked Size

41.06 kB

Size

8.47 kB

File Count

NPM Version

10.8.2

Node Version

20.18.1

Published on

Mar 09, 2025

Total Downloads

Cumulative downloads

Total Downloads

NaN

Last Day

NaN

Compared to previous day

Last Week

NaN

Compared to previous week

Last Month

NaN

Compared to previous month

Last Year

NaN

Compared to previous year

Weekly Downloads

Monthly Downloads

Yearly Downloads

Dev Dependencies

@fastify/pre-commit airtap airtap-playwright eslint neostandard nyc playwright tape tsd

secure-json-parse

JSON.parse() drop-in replacement with prototype poisoning protection.

Introduction

Consider this:

1> const a = '{"__proto__":{ "b":5}}';
2'{"__proto__":{ "b":5}}'
3
4> const b = JSON.parse(a);
5{ __proto__: { b: 5 } }
6
7> b.b;
8undefined
9
10> const c = Object.assign({}, b);
11{}
12
13> c.b
145

The problem is that JSON.parse() retains the __proto__ property as a plain object key. By itself, this is not a security issue. However, as soon as that object is assigned to another or iterated on and values copied, the __proto__ property leaks and becomes the object's prototype.

Install

npm i secure-json-parse

Usage

Pass the option object as a second (or third) parameter for configuring the action to take in case of a bad JSON, if nothing is configured, the default is to throw a SyntaxError.
You can choose which action to perform in case __proto__ is present, and in case constructor.prototype is present.

1const sjson = require('secure-json-parse')
2
3const goodJson = '{ "a": 5, "b": 6 }'
4const badJson = '{ "a": 5, "b": 6, "__proto__": { "x": 7 }, "constructor": {"prototype": {"bar": "baz"} } }'
5
6console.log(JSON.parse(goodJson), sjson.parse(goodJson, undefined, { protoAction: 'remove', constructorAction: 'remove' }))
7console.log(JSON.parse(badJson), sjson.parse(badJson, undefined, { protoAction: 'remove', constructorAction: 'remove' }))

API

`sjson.parse(text, [reviver], [options])`

Parses a given JSON-formatted text into an object where:

text - the JSON text string.
reviver - the JSON.parse() optional reviver argument.
options - optional configuration object where:
- protoAction - optional string with one of:
  - 'error' - throw a SyntaxError when a __proto__ key is found. This is the default value.
  - 'remove' - deletes any __proto__ keys from the result object.
  - 'ignore' - skips all validation (same as calling JSON.parse() directly).
- constructorAction - optional string with one of:
  - 'error' - throw a SyntaxError when a constructor.prototype key is found. This is the default value.
  - 'remove' - deletes any constructor keys from the result object.
  - 'ignore' - skips all validation (same as calling JSON.parse() directly).

`sjson.scan(obj, [options])`

Scans a given object for prototype properties where:

obj - the object being scanned.
options - optional configuration object where:
- protoAction - optional string with one of:
  - 'error' - throw a SyntaxError when a __proto__ key is found. This is the default value.
  - 'remove' - deletes any __proto__ keys from the input obj.
- constructorAction - optional string with one of:
  - 'error' - throw a SyntaxError when a constructor.prototype key is found. This is the default value.
  - 'remove' - deletes any constructor keys from the input obj.

Benchmarks

Machine: 2,7 GHz Quad-Core Intel Core i7

v14.8.0

> node ignore.js

JSON.parse x 679,376 ops/sec ±1.15% (84 runs sampled)
secure-json-parse x 649,605 ops/sec ±0.58% (87 runs sampled)
reviver x 244,414 ops/sec ±1.05% (88 runs sampled)
Fastest is JSON.parse

> node no__proto__.js

JSON.parse x 652,190 ops/sec ±0.67% (86 runs sampled)
secure-json-parse x 589,785 ops/sec ±1.01% (88 runs sampled)
reviver x 218,075 ops/sec ±1.58% (87 runs sampled)
Fastest is JSON.parse

> node remove.js

JSON.parse x 683,527 ops/sec ±0.62% (88 runs sampled)
secure-json-parse x 316,926 ops/sec ±0.63% (87 runs sampled)
reviver x 214,167 ops/sec ±0.63% (86 runs sampled)
Fastest is JSON.parse

> node throw.js

JSON.parse x 682,548 ops/sec ±0.60% (88 runs sampled)
JSON.parse error x 170,716 ops/sec ±0.93% (87 runs sampled)
secure-json-parse x 104,483 ops/sec ±0.62% (87 runs sampled)
reviver x 114,197 ops/sec ±0.63% (87 runs sampled)
Fastest is JSON.parse

Acknowledgments

This project has been forked from hapijs/bourne. All credit before commit 4690682 goes to the hapijs/bourne project contributors. After, the project will be maintained by the Fastify team.

License

Licensed under BSD-3-Clause.

No vulnerabilities found.

10

Binary-Artifacts

Determines if the project has generated executable (binary) artifacts in the source repository.

10

Dangerous-Workflow

Determines if the project's GitHub Action workflows avoid dangerous patterns.

10

Token-Permissions

Determines if the project's workflows follow the principle of least privilege.

10

Vulnerabilities

Determines if the project has open, known unfixed vulnerabilities.

10

Security-Policy

Determines if the project has published a security policy.

10

SAST

Determines if the project uses static code analysis.

9

License

Determines if the project has defined a license.

5

Maintained

Determines if the project is "actively maintained".

1

Code-Review

Determines if the project requires human code review before pull requests (aka merge requests) are merged.

1

Pinned-Dependencies

Determines if the project has declared and pinned the dependencies of its build process.

Reason

dependency not pinned by hash detected -- score normalized to 1

Details

Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:95: update your workflow using https://app.stepsecurity.io/secureworkflow/fastify/secure-json-parse/ci.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:100: update your workflow using https://app.stepsecurity.io/secureworkflow/fastify/secure-json-parse/ci.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:118: update your workflow using https://app.stepsecurity.io/secureworkflow/fastify/secure-json-parse/ci.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:123: update your workflow using https://app.stepsecurity.io/secureworkflow/fastify/secure-json-parse/ci.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:29: update your workflow using https://app.stepsecurity.io/secureworkflow/fastify/secure-json-parse/ci.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:43: update your workflow using https://app.stepsecurity.io/secureworkflow/fastify/secure-json-parse/ci.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:48: update your workflow using https://app.stepsecurity.io/secureworkflow/fastify/secure-json-parse/ci.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:66: update your workflow using https://app.stepsecurity.io/secureworkflow/fastify/secure-json-parse/ci.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:71: update your workflow using https://app.stepsecurity.io/secureworkflow/fastify/secure-json-parse/ci.yml/main?enable=pin
Warn: npmCommand not pinned by hash: .github/workflows/ci.yml:130
Warn: npmCommand not pinned by hash: .github/workflows/ci.yml:55
Warn: npmCommand not pinned by hash: .github/workflows/ci.yml:78
Warn: npmCommand not pinned by hash: .github/workflows/ci.yml:107
Info: 1 out of 10 GitHub-owned GitHubAction dependencies pinned
Info: 1 out of 1 third-party GitHubAction dependencies pinned
Info: 0 out of 4 npmCommand dependencies pinned

0

CII-Best-Practices

Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.

0

Fuzzing

Determines if the project uses fuzzing.

Score

6.9

/10

Last Scanned on 2025-07-07

The Open Source Security Foundation is a cross-industry collaboration to improve the security of open source software (OSS). The Scorecard provides security health metrics for open source projects.

Learn More