Optionally ignore `toJSON`
Closed this issue · 2 comments
fregante commented
serialize-error
automatically uses toJSON
:
Lines 61 to 63 in 855fe3d
Unfortunately this introduces two unwanted behaviors:
- code can be executed by passing
{toJSON() { /*h4xor*/ }}
- serialization is decided by the object owner, with which we might disagree (e.g. it might exclude arbitrary properties)
Possible solution
serializeError(error, {toJSON: false})
sindresorhus commented
code can be executed by passing {toJSON() { /h4xor/ }}
This is not a good argument. This applies to built-in APIs too. And also .toString()
.
serialization is decided by the object owner, with which we might disagree (e.g. it might exclude arbitrary properties)
This is a valid argument.
sindresorhus commented
I'm ok with a toJSON
option.