sindresorhus/serialize-error

Optionally ignore `toJSON`

Closed this issue · 2 comments

serialize-error automatically uses toJSON:

serialize-error/index.js

Lines 61 to 63 in 855fe3d

if (typeof from.toJSON === 'function' && from[toJsonWasCalled] !== true) {
return toJSON(from);
}

Unfortunately this introduces two unwanted behaviors:

  • code can be executed by passing {toJSON() { /*h4xor*/ }}
  • serialization is decided by the object owner, with which we might disagree (e.g. it might exclude arbitrary properties)

Possible solution

serializeError(error, {toJSON: false})

code can be executed by passing {toJSON() { /h4xor/ }}

This is not a good argument. This applies to built-in APIs too. And also .toString().

serialization is decided by the object owner, with which we might disagree (e.g. it might exclude arbitrary properties)

This is a valid argument.

I'm ok with a toJSON option.