{"id":12003,"library":"serialize-to-js","title":"Serialize JavaScript Objects","description":"serialize-to-js is a utility library for converting JavaScript objects into a string representation that can be safely evaluated as JavaScript code. Unlike `JSON.stringify`, it supports a wider range of JavaScript types including `RegExp`, `Date`, `Buffer`, `Set`, `Map`, `Error`, and various `TypedArray` types, while also handling circular references. The current stable version is 3.1.2. The library primarily focuses on robust serialization to executable JavaScript strings and has undergone breaking changes to enhance security, notably by removing the `deserialize` function in v2.0.0 due to Denial-of-Service vulnerabilities. It is particularly useful for scenarios requiring the exact re-creation of JavaScript objects, including their methods and non-primitive types, in environments where `eval` can be controlled.","status":"active","version":"3.1.2","language":"javascript","source_language":"en","source_url":"https://github.com/commenthol/serialize-to-js","tags":["javascript","objects","serialize"],"install":[{"cmd":"npm install serialize-to-js","lang":"bash","label":"npm"},{"cmd":"yarn add serialize-to-js","lang":"bash","label":"yarn"},{"cmd":"pnpm add serialize-to-js","lang":"bash","label":"pnpm"}],"dependencies":[],"imports":[{"note":"The library exports its main `serialize` function as a default export, not a named export. The CommonJS `require` syntax `const serialize = require('serialize-to-js')` also reflects this pattern.","wrong":"import { serialize } from 'serialize-to-js';","symbol":"serialize","correct":"import serialize from 'serialize-to-js';"}],"quickstart":{"code":"import serialize from 'serialize-to-js';\n\nconst obj = {\n  str: '<script>var a = 0 > 1</script>',\n  num: 3.1415,\n  bool: true,\n  nil: null,\n  undef: undefined,\n  obj: { foo: 'bar' },\n  arr: [1, '2'],\n  regexp: /^test?$/,\n  date: new Date('2023-01-15T10:00:00.000Z'), // Consistent date for example\n  buffer: Buffer.from('data'), // Requires Node.js Buffer or polyfill\n  set: new Set([1, 2, 3]),\n  map: new Map([['a', 1], ['b', 2]])\n};\n\nconst serializedString = serialize(obj);\nconsole.log(serializedString);\n\n// To deserialize, one might use eval() in a controlled environment\n// const deserializedObj = eval(`(${serializedString})`);\n// console.log(deserializedObj.date instanceof Date); // true\n","lang":"javascript","description":"This quickstart demonstrates how to serialize a complex JavaScript object, including various primitive types, objects, arrays, regular expressions, dates, buffers, sets, and maps, into a JavaScript string. It shows the output format and hints at how to (cautiously) deserialize it."},"warnings":[{"fix":"Do not use `deserialize`. If you need to re-create objects from the serialized string, evaluate the string (e.g., using `eval()`) in a strictly controlled and trusted environment, or implement a custom, secure deserialization logic.","message":"The `deserialize` function was removed in version 2.0.0 due to being vulnerable to Denial-of-Service (DOS) attacks. Users upgrading from v1.x should refactor any usage of `deserialize`.","severity":"breaking","affected_versions":">=2.0.0"},{"fix":"Only deserialize strings that originate from trusted sources. For untrusted input, use safer parsing methods like `JSON.parse` if your data can be represented in JSON, or implement strict validation and sandboxing around `eval()`.","message":"The library serializes objects into a string that represents executable JavaScript code, not a data-interchange format like JSON. Deserializing this string typically requires `eval()`, which is a significant security risk if the source of the serialized string is untrusted.","severity":"gotcha","affected_versions":">=1.0.0"},{"fix":"Be aware that the `opts` object passed to `serialize` will be modified if `opts.reference` is true. If you need to preserve the original `opts` object, pass a shallow copy (e.g., `{ ...opts, reference: true }`).","message":"When using the `opts.reference = true` option, the library mutates the `opts` object by adding an `opts.references` array containing information about the created references. This side-effect can be unexpected.","severity":"gotcha","affected_versions":">=1.0.0"}],"env_vars":null,"last_verified":"2026-04-19T00:00:00.000Z","next_check":"2026-07-18T00:00:00.000Z","problems":[{"fix":"Remove all calls to `deserialize`. The package no longer provides a direct deserialization function. If you need to re-create the object, consider using `eval()` in a secure, controlled context with trusted input, or implement a custom parser.","cause":"Attempting to call the `deserialize` method which was removed in version 2.0.0 due to security vulnerabilities.","error":"TypeError: serialize(...).deserialize is not a function"},{"fix":"If running in a browser, ensure you have a `Buffer` polyfill (e.g., `buffer` npm package) imported and made globally available, or avoid serializing `Buffer` objects in client-side code where `Buffer` is not native.","cause":"This error typically occurs when `serialize-to-js` is used in a non-Node.js environment (e.g., browser) and attempts to serialize a `Buffer` object without a global `Buffer` polyfill being available.","error":"ReferenceError: Buffer is not defined"}],"ecosystem":"npm"}