{"id":13398,"library":"json-alexander","title":"Forgiving JSON Parser","description":"json-alexander is a utility package designed to parse JSON strings that may be malformed or contain JavaScript object literal syntax, providing a more \"forgiving\" parsing experience than `JSON.parse`. It aims to fix common issues like unquoted keys, single quotes, and unbalanced structures. The current stable version is 0.1.13, indicating it's still in an early development phase. Release cadence is infrequent, typical for a niche utility. Its key differentiators include its ability to parse non-standard JSON and JavaScript object syntax, making it suitable for scenarios like CLI argument parsing where input might not be strictly valid JSON. However, its \"forgiving\" nature, particularly the `parseJSON` function, uses regular expressions which introduce a potential for ReDoS attacks, contrasting with the standard `JSON.parse` or more strict parsers. For security-sensitive applications, the `safeParse` function is provided, which foregoes the auto-correction in favor of returning `null` for malformed input, thus mitigating the ReDoS risk.","status":"active","version":"0.1.13","language":"javascript","source_language":"en","source_url":"https://github.com/DavidWells/json-alexander","tags":["javascript"],"install":[{"cmd":"npm install json-alexander","lang":"bash","label":"npm"},{"cmd":"yarn add json-alexander","lang":"bash","label":"yarn"},{"cmd":"pnpm add json-alexander","lang":"bash","label":"pnpm"}],"dependencies":[],"imports":[{"note":"This is the main forgiving parsing function, which uses regular expressions for autofixing malformed JSON. Exercise caution when processing untrusted input due to ReDoS risk.","wrong":"const parseJSON = require('json-alexander').parseJSON","symbol":"parseJSON","correct":"import { parseJSON } from 'json-alexander'"},{"note":"Recommended for server-side use or when processing untrusted input. It returns `null` for malformed JSON instead of attempting to fix it, mitigating ReDoS vulnerabilities.","wrong":"const safeParse = require('json-alexander').safeParse","symbol":"safeParse","correct":"import { safeParse } from 'json-alexander'"}],"quickstart":{"code":"import { parseJSON, safeParse } from 'json-alexander';\n\nconsole.log('--- Using parseJSON (forgiving) ---');\n// Normal Valid JSON\nconsole.log('Valid JSON:', parseJSON('{\"valid\": \"works\"}'));\n// Javascript objects\nconsole.log('JS Object:', parseJSON({ key: 'val' }));\n// Malformed JSON (single quotes)\nconsole.log('Malformed (single quotes):', parseJSON(\"{'malformed': 'works'}\"));\n// Unbalanced JSON\nconsole.log('Unbalanced:', parseJSON('{\"unbalanced\": \"object\"'));\n// Javascript objects missing quotes\nconsole.log('Missing quotes:', parseJSON('{ hello: there }'));\n\nconsole.log('\\n--- Using safeParse (secure, non-forgiving) ---');\n// Normal Valid JSON\nconsole.log('Safe Valid JSON:', safeParse('{\"valid\": \"works\"}'));\n// Javascript objects\nconsole.log('Safe JS Object:', safeParse({ key: 'val' }));\n// Malformed JSON (returns null with safeParse)\nconsole.log('Safe Malformed (returns null):', safeParse(\"{'malformed': 'works'}\"));","lang":"javascript","description":"Demonstrates both `parseJSON` for forgiving parsing of malformed and JS-like strings, and `safeParse` for secure, strict parsing that returns null on invalid input."},"warnings":[{"fix":"For server-side applications or any context processing untrusted input, *always* use the `safeParse` function, which explicitly avoids regex-based corrections and returns `null` for malformed input. Alternatively, enforce strict input validation before parsing.","message":"The `parseJSON` function utilizes regular expressions to correct malformed JSON, which can introduce a ReDoS (Regular Expression Denial of Service) vulnerability if highly crafted malicious input is provided. While patterns have been tested, it's an inherent risk.","severity":"breaking","affected_versions":">=0.1.0"},{"fix":"Review the output carefully when parsing non-standard input. If strict JSON adherence is required, use `JSON.parse` or the `safeParse` function and handle parsing errors explicitly.","message":"The `parseJSON` function attempts to \"fix\" malformed JSON by guessing, which might lead to unexpected parsing results if the input is severely malformed or not intended to be fixed. It prioritizes usability over strict adherence to the JSON specification.","severity":"gotcha","affected_versions":">=0.1.0"},{"fix":"Always ensure the type of input is as expected before calling `parseJSON` if strict string-only parsing is desired. Use `typeof input === 'string'` check to validate.","message":"Unlike `JSON.parse`, `parseJSON` can accept plain JavaScript objects as input and return them directly without serialization/deserialization. While convenient, this might mask issues where a string was *expected* but an object was accidentally passed.","severity":"gotcha","affected_versions":">=0.1.0"}],"env_vars":null,"last_verified":"2026-04-19T00:00:00.000Z","next_check":"2026-07-18T00:00:00.000Z","problems":[{"fix":"Always check if the result of `safeParse` is `null` before attempting to access its properties, and handle the invalid input case:\n```javascript\nconst data = safeParse(userInput);\nif (data === null) {\n  console.error('Invalid JSON input, could not parse securely.');\n  // Handle error, return default, etc.\n} else {\n  console.log(data.someKey);\n}\n```","cause":"`safeParse` returned `null` because the input JSON was malformed, and subsequent code attempted to access properties on the `null` result.","error":"Cannot read properties of undefined (reading 'key')"},{"fix":"Replace `JSON.parse` with `parseJSON` from `json-alexander` if you intend to parse forgivingly, or with `safeParse` if you need the security-conscious alternative for potentially malformed input.","cause":"Attempting to use the native `JSON.parse` function with malformed JSON or JavaScript object literal syntax that `json-alexander` is designed to handle.","error":"SyntaxError: Unexpected token ' (or unexpected character)"}],"ecosystem":"npm","meta_description":null,"install_score":null,"install_tag":null,"quickstart_score":null,"quickstart_tag":null,"pypi_latest":null,"cli_name":"","cli_version":null}