# destr [![npm version][npm-version-src]][npm-version-href] [![npm downloads][npm-downloads-src]][npm-downloads-href] [![bundle][bundle-src]][bundle-href] [![License][license-src]][license-href] A faster, secure and convenient alternative for [`JSON.parse`](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/JSON/parse). ## Usage ### Node.js Install dependency: ```bash # npm npm i destr # yarn yarn add destr # pnpm pnpm i destr ``` Import into your Node.js project: ```js // ESM import { destr, safeDestr } from "destr"; // CommonJS const { destr, safeDestr } = require("destr"); ``` ### Deno ```js import { destr, safeDestr } from "https://deno.land/x/destr/src/index.ts"; console.log(destr('{ "deno": "yay" }')); ``` ## Why? ### ✅ Type Safe ```ts const obj = JSON.parse("{}"); // obj type is any const obj = destr("{}"); // obj type is unknown by default const obj = destr("{}"); // obj is well-typed ``` ### ✅ Fast fallback to input if is not string > 🚀 Up to 500 times faster than `JSON.parse`! ```js // Uncaught SyntaxError: Unexpected token u in JSON at position 0 JSON.parse(); // undefined destr(); ``` ### ✅ Fast lookup for known string values > 🚀 Up to 900 times faster than `JSON.parse`! ```js // Uncaught SyntaxError: Unexpected token T in JSON at position 0 JSON.parse("TRUE"); // true destr("TRUE"); ``` ### ✅ Fallback to original value if parse fails (empty or any plain string) > 🚀 Up to 900 times faster than `JSON.parse`! ```js // Uncaught SyntaxError: Unexpected token s in JSON at position 0 JSON.parse("salam"); // "salam" destr("salam"); ``` **Note:** This fails in safe/strict mode with `safeDestr`. ### ✅ Avoid prototype pollution ```js const input = '{ "user": { "__proto__": { "isAdmin": true } } }'; // { user: { __proto__: { isAdmin: true } } } JSON.parse(input); // { user: {} } destr(input); ``` ### ✅ Strict Mode When using `safeDestr` it will throw an error if the input is not a valid JSON string or parsing fails. (non string values and built-ins will be still returned as-is) ```js // Returns "[foo" destr("[foo"); // Throws an error safeDestr("[foo"); ``` ## Benchmarks `destr` is sometimes little bit slower than `JSON.parse` when parsing a valid JSON string mainly because of transform to avoid [prototype pollution](https://learn.snyk.io/lessons/prototype-pollution/javascript/) which can lead to serious security issues if not being sanitized. In the other words, `destr` is better when input is not always a JSON string or from untrusted source like request body. Check [Benchmarks](./BENCH.md) ## License MIT. Made with 💖 [npm-version-src]: https://img.shields.io/npm/v/destr?style=flat&colorA=18181B&colorB=F0DB4F [npm-version-href]: https://npmjs.com/package/destr [npm-downloads-src]: https://img.shields.io/npm/dm/destr?style=flat&colorA=18181B&colorB=F0DB4F [npm-downloads-href]: https://npmjs.com/package/destr [bundle-src]: https://img.shields.io/bundlephobia/minzip/destr?style=flat&colorA=18181B&colorB=F0DB4F [bundle-href]: https://bundlephobia.com/result?p=destr [license-src]: https://img.shields.io/github/license/unjs/destr.svg?style=flat&colorA=18181B&colorB=F0DB4F [license-href]: https://github.com/unjs/destr/blob/main/LICENSE