jsonpickle

4.1.1 · active · verified Sun Mar 29

jsonpickle is a Python library for serialization and deserialization of complex Python objects to and from JSON. It extends standard JSON encoders to handle more complex data structures than what Python's `json` module natively supports. As of version 4.1.1, the project is actively maintained with a regular release cadence.

Warnings

breaking Security Warning: Deserializing untrusted data with `jsonpickle.decode()` can lead to Remote Code Execution (RCE). Like Python's `pickle` module, `jsonpickle` can execute arbitrary code during unpickling if malicious data is provided.
Fix: NEVER deserialize data from untrusted sources. If processing untrusted input, use safer serialization methods like the standard `json` module, define explicit schemas, or sign data with an HMAC to ensure integrity.
breaking Python 3.7 is no longer supported starting with `jsonpickle` v4.0.0.
Fix: Upgrade to Python 3.8 or newer to use `jsonpickle` v4.x.
breaking The default value of the `safe` parameter in `jsonpickle.decode()` changed from `False` to `True` in v4.0.0. Setting `safe=False` enables backwards-compatible deserialization of `repr`-serialized objects but uses `eval()` and is not secure against malicious inputs.
Fix: Ensure you are not explicitly setting `safe=False` when dealing with untrusted input. The default `safe=True` is recommended for security. If you need to decode old data, re-pickle it with a newer version.
deprecated The `jsonpickle.compat` module is no longer used internally and may be removed in a future version (e.g., v5.0.0).
Fix: Avoid direct usage of `jsonpickle.compat` and its functions. Review `CHANGES.rst` for specific function deprecations that might affect your code.
deprecated Certain utility functions in `jsonpickle/util.py` were deprecated in v4.1.0 and are planned for removal in v5.0.0 to facilitate static typing. Additionally, `jsonpickle.ext.yaml` will no longer be registered by default in v5.0.0.
Fix: Review your code for direct calls to functions within `jsonpickle.util` or reliance on `jsonpickle.ext.yaml` being automatically registered. Migrate away from these as v5.0.0 approaches.

Install

pip install jsonpickle Install stable version

Imports

jsonpickle
```
import jsonpickle
```

Quickstart

This quickstart demonstrates encoding a custom Python object (a dataclass instance) into a JSON string and then decoding it back into a Python object using `jsonpickle.encode` and `jsonpickle.decode`.

import jsonpickle
from dataclasses import dataclass

@dataclass
class MyObject:
    name: str
    value: int

# Create an object
original_obj = MyObject(name="Example", value=123)

# Encode the object to a JSON string
encoded_json = jsonpickle.encode(original_obj)
print(f"Encoded JSON: {encoded_json}")

# Decode the JSON string back to a Python object
decoded_obj = jsonpickle.decode(encoded_json)

# Verify the decoded object
assert decoded_obj == original_obj
print(f"Decoded object: {decoded_obj}")

view raw JSON →