destr

A faster, secure and convenient alternative for JSON.parse

Usage no npm install needed!

<script type="module">
  import destr from 'https://cdn.skypack.dev/destr';
</script>

README

destr

A faster, secure and convenient alternative for JSON.parse:

npm version npm downloads bundle phobia

Usage

Node.js

Install using npm or yarn:

npm i destr
# or
yarn add destr

Import into your Node.js project:

// CommonJS
const destr = require('destr')

// ESM
import destr from 'destr'

Deno

import destr from 'https://deno.land/x/destr/src/index.ts'

console.log(destr('{ "deno": "yay" }'))

Why?

Please note that destr is little bit slower when parsing a standard JSON string mainly because of transform to avoid prototype pollution which can lead to serious security issues if not being sanetized. In the other words, destr is better when input is not always a json string or from untrsuted source like request body.

Fast fallback to input if is not string:

// Uncaught SyntaxError: Unexpected token u in JSON at position 0
JSON.parse()

// undefined
destr()
// JSON.parse x 5,324,474 ops/sec ±0.65% (94 runs sampled)
JSON.parse(3.14159265359)

// destr x 657,187,095 ops/sec ±0.06% (98 runs sampled)
destr(3.14159265359)

Fast lookup for known string values:

// Uncaught SyntaxError: Unexpected token T in JSON at position 0
JSON.parse('TRUE')

// true
destr('TRUE')
// JSON.parse x 10,407,488 ops/sec ±0.30% (97 runs sampled)
JSON.parse('true')

// destr x 88,634,032 ops/sec ±0.32% (95 runs sampled)
destr('true')

Fallback to original value if parse fails (empty or any plain string):

// Uncaught SyntaxError: Unexpected token s in JSON at position 0
// JSON.parse (try-catch) x 248,212 ops/sec ±1.22% (84 runs sampled
JSON.parse('salam')

// destr x 30,867,179 ops/sec ±0.49% (94 runs sampled)
destr('salam')

Avoid prototype pollution:

const input = '{ "user": { "__proto__": { "isAdmin": true } } }'

// { user: { __proto__: { isAdmin: true } } }
JSON.parse(input)

// { user: {} }
destr(input)

License

MIT. Made with 💖