{"id":13092,"library":"dset","title":"dset: Tiny Deep Object Setter","description":"dset is a minimalist JavaScript utility, currently at version 3.1.4, designed for safely setting deeply nested values within objects. It distinguishes itself by its extremely small footprint (under 200 bytes gzipped for the main module) and explicit protection against prototype pollution since v2.1.0. The package has a stable release cadence with frequent patch updates and less frequent minor/major releases. A key differentiator is the `dset/merge` submodule, introduced in v3.1.0, which provides a merging behavior for deep object writes, useful for scenarios like GraphQL stream directives, contrasting with the main `dset` module's default overwrite behavior. It ships with TypeScript definitions, making it well-suited for modern JavaScript and TypeScript projects.","status":"active","version":"3.1.4","language":"javascript","source_language":"en","source_url":"https://github.com/lukeed/dset","tags":["javascript","deepset","values","object","write","deep","safe","set","typescript"],"install":[{"cmd":"npm install dset","lang":"bash","label":"npm"},{"cmd":"yarn add dset","lang":"bash","label":"yarn"},{"cmd":"pnpm add dset","lang":"bash","label":"pnpm"}],"dependencies":[],"imports":[{"note":"The `dset` function is a named export since v3.0.0. Default imports are incorrect for v3+.","wrong":"import dset from 'dset';","symbol":"dset","correct":"import { dset } from 'dset';"},{"note":"Use a named alias (e.g., `mergeDset`) to avoid collision if also importing the main `dset` function. This submodule offers merge semantics instead of overwriting.","wrong":"import { dset } from 'dset/merge';","symbol":"mergeDset","correct":"import { dset as mergeDset } from 'dset/merge';"},{"note":"While primarily an ESM-first library, a CommonJS bundle is available. Remember `dset` is a named export, even in CommonJS.","wrong":"const dset = require('dset');","symbol":"dset function (CommonJS)","correct":"const { dset } = require('dset');"}],"quickstart":{"code":"import { dset } from 'dset';\n\n// Initialize with an existing object\nlet myObject: Record<string, any> = {\n  existingKey: 123,\n  nested: {\n    array: [10, 20],\n    value: 'old'\n  }\n};\n\nconsole.log('Initial object:', JSON.stringify(myObject));\n\n// Set a new deep value, creating intermediate objects as needed\ndset(myObject, 'foo.bar', 'hello world');\nconsole.log('After setting foo.bar:', JSON.stringify(myObject));\n\n// Overwrite an existing non-object value with a new nested structure (v3+ behavior)\ndset(myObject, 'existingKey.newProp', 456);\nconsole.log('After overwriting existingKey:', JSON.stringify(myObject));\n\n// Update an array element by index\ndset(myObject, 'nested.array.1', 99);\nconsole.log('After updating array element:', JSON.stringify(myObject));\n\n// Create a new array and populate it with objects using numeric path segments\nlet anotherObject: Record<string, any> = {};\ndset(anotherObject, 'items.0.id', 'a');\ndset(anotherObject, 'items.1.id', 'b');\nconsole.log('After creating array items:', JSON.stringify(anotherObject));","lang":"typescript","description":"Demonstrates basic usage of `dset` to create new deep paths, overwrite non-object values (v3+), update array elements, and initialize arrays."},"warnings":[{"fix":"Review existing code for instances where `dset` targeted paths that might contain non-object values, as their structure will now be implicitly converted to an object to accommodate the new path.","message":"Since v3.0.0, `dset` now overwrites existing non-object values when setting a nested path, aligning with `lodash/set`. Previously, it would fail to write if an intermediate path segment was not an object.","severity":"breaking","affected_versions":">=3.0.0"},{"fix":"Update import statements from `import dset from 'dset';` to `import { dset } from 'dset';`.","message":"As of v3.0.0, the `dset` function is exported as a named export instead of a default export. This changes how it must be imported.","severity":"breaking","affected_versions":">=3.0.0"},{"fix":"Upgrade `dset` to version `2.1.0` or higher immediately to ensure protection against prototype pollution attacks.","message":"Versions between `1.0.0` and `2.0.1` (inclusive) are deprecated due to a prototype pollution vulnerability. This was patched in v2.1.0 and subsequent versions.","severity":"breaking","affected_versions":">=1.0.0 <2.1.0"},{"fix":"Choose the appropriate module (`dset` or `dset/merge`) based on whether you intend to replace or merge values at deep paths. Be explicit with your imports to avoid confusion.","message":"The main `dset` module forcibly writes and overwrites values at the specified key-path. The `dset/merge` submodule, however, merges new values into existing objects, which is distinct behavior.","severity":"gotcha","affected_versions":">=3.1.0"}],"env_vars":null,"last_verified":"2026-04-19T00:00:00.000Z","next_check":"2026-07-18T00:00:00.000Z","problems":[{"fix":"Change your import statement from `import dset from 'dset';` to `import { dset } from 'dset';`.","cause":"Attempting to use `dset` with a default import style after v3.0.0, but it is now a named export.","error":"TypeError: dset is not a function"},{"fix":"Ensure your `tsconfig.json` (for TypeScript) and bundler configuration (`webpack.config.js`, `vite.config.js`, etc.) are up-to-date and correctly configured for modern module resolution, e.g., using `\"moduleResolution\": \"bundler\"` or `\"nodenext\"` in TypeScript.","cause":"Incorrect module resolution settings or outdated tooling not fully supporting Node.js `exports` field for conditional exports, particularly for subpath imports like `dset/merge`.","error":"Cannot access 'dset/merge' exports outside of the module"},{"fix":"Avoid using `__proto__`, `constructor`, or `prototype` as path segments for security reasons. Ensure your `dset` version is `2.1.0` or higher to benefit from built-in prototype pollution guards.","cause":"Attempting to set a value to a JavaScript prototype property (`__proto__`, `constructor`, `prototype`). Although `dset` has built-in protections since v2.1.0, direct attempts to bypass or similar vulnerabilities could trigger this.","error":"Property '__proto__' cannot be set"}],"ecosystem":"npm","meta_description":null,"install_score":null,"install_tag":null,"quickstart_score":null,"quickstart_tag":null,"pypi_latest":null,"cli_name":""}