Serialize-javascript is a valuable npm package designed to convert JavaScript values, including those not natively supported by JSON like regular expressions and functions, into a string format suitable for storage or transmission. Versions 1.9.0 and 1.9.1 showcase the library's ongoing refinement with subtle but noteworthy distinctions.
The core functionality remains consistent: both versions allow developers to serialize complex JavaScript data structures into a superset of JSON, enabling seamless data persistence or exchange across different environments. Digging into the differences, the mocha dev dependency has been upgraded from version 5.2.0 to 6.2.0. This may include fixes and improvements to the package testing suit. Beyond development dependencies, the primary variance is in the unpacked size of the package, which decreased from 14015 bytes in version 1.9.0 to 13528 bytes in version 1.9.1. Likewise, the release date also differs, with version 1.9.1 being released on 2019-09-04 and version 1.9.0 being released on 2019-08-29. This, alongside the decrease in uncompressed size, is indicative of internal optimizations and refinements. Developers incorporating serialize-javascript into their projects benefit from a reliable tool for handling diverse JavaScript data types, ensuring data integrity during serialization and deserialization processes with continuous improvements.
All the vulnerabilities related to the version 1.9.1 of the package
Cross-Site Scripting in serialize-javascript
Versions of serialize-javascript prior to 2.1.1 are vulnerable to Cross-Site Scripting (XSS). The package fails to sanitize serialized regular expressions. This vulnerability does not affect Node.js applications.
Upgrade to version 2.1.1 or later.
Insecure serialization leading to RCE in serialize-javascript
serialize-javascript prior to 3.1.0 allows remote attackers to inject arbitrary code via the function "deleteFunctions" within "index.js".
An object such as {"foo": /1"/, "bar": "a\"@__R-<UID>-0__@"} was serialized as {"foo": /1"/, "bar": "a\/1"/}, which allows an attacker to escape the bar key. This requires the attacker to control the values of both foo and bar and guess the value of <UID>. The UID has a keyspace of approximately 4 billion making it a realistic network attack.
