npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

securealternative

v1.0.4

Published

Provide secure alternatives for functions that can be effected by prototype pollution

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

kevgeoleokevgeoleo

Keywords

securityprototype-pollutionpocprototypepollution

Readme

securealternative

Provide secure alternatives for functions that can be effected by prototype pollution

StringSplitOnChar (Alternative for String.prototype.split)

Prototype

splitOnChar(str: string, delimiter?: string): string[]

Description

  1. Splits a string into an array of substrings using a single-character delimiter.
  2. Does not rely on String.prototype.split
  3. Validates inputs strictly
  4. Resistant to prototype pollution and method overrides

Parameters

| Name | Type | Required | Description | | ----------- | -------- | -------- | ------------------------------------------- | | str | string | yes | The input string to split | | delimiter | string | no | Single character delimiter (default: '.') |

Returns

string[] — array of substrings

Throws

  1. TypeError if str is not a string
  2. TypeError if delimiter is not a single-character string

ArraySafeIndexOf (Alternative for Array.prototype.indexOf)

Prototype

safeIndexOf(arr: T[], searchElement: T): number

Description

Secure alternative for Array.prototype.indexOf() which gives index of element if it is in array else returns -1

Parameters

| Name | Type | Required | Description | | --------------- | ---------- | -------- | ----------------- | | arr | Array<T> | yes | Array to search | | searchElement | T | yes | Element to locate |

Returns

number — index of the element, or -1 if not found

Throws

TypeError if arr is not an array

StringSafeIndexOf (Alternative for String.prototype.indexOf)

Prototype

StringSafeIndexOf(haystack: string, needle: string): number

Description

  1. Searches for the first occurrence of a substring within a string.
  2. Does not rely on String.prototype.indexOf or any other built-in string methods.
  3. Performs a manual character-by-character comparison.
  4. Avoids implicit type coercion.
  5. Resistant to prototype pollution and method overrides.
  6. Safe to use in hostile or partially polluted JavaScript runtimes.

Parameters

| Name | Type | Required | Description | | ---------- | -------- | -------- | --------------------------- | | haystack | string | yes | The string to search within | | needle | string | yes | The substring to search for |

Returns

number — the zero-based index of the first occurrence of needle, or -1 if not found.

Throws

None (Invalid inputs are handled safely and return -1.)

RegexSafeTest (Alternative for RegExp.prototype.test)

Prototype

RegexSafeTest(regex: RegExp, input: string): boolean

Description

  1. Tests whether a regular expression matches a string.
  2. Does not rely on RegExp.prototype.test, avoiding user-land overrides.
  3. Executes the match using the native V8 RegExp engine via a compiled Node.js addon.
  4. Validates inputs strictly before execution.
  5. Resistant to prototype pollution, method overrides, and monkey-patching of RegExp.prototype.

Compatability info

Currently works only for Node v24 (Active LTS version)

Parameters

| Name | Type | Required | Description | | ------- | -------- | -------- | ------------------------------------------- | | regex | RegExp | yes | Regular expression to test | | input | string | yes | String against which the regex is evaluated |

Returns

boolean — true if the regular expression matches the input string, otherwise false.

Throws

  1. TypeError if regex is not a RegExp object
  2. TypeError if input is not a string
  3. Error if the native addon is unavailable on the current platform

ObjectHasOwnProperty (Safe alternative to Object.prototype.hasOwnProperty)

Prototype

ObjectHasOwnProperty(obj: object | null | undefined, prop: string | symbol): boolean

Description

  1. Determines whether an object has a property as its own property, without checking inherited properties.
  2. Does not rely on Object.prototype.hasOwnProperty, making it resistant to prototype pollution and method overrides.
  3. Checks both string and symbol properties.
  4. Safe to use on objects in hostile or partially polluted JavaScript runtimes.
  5. Handles null and undefined safely, returning false instead of throwing.

Parameters

| Name | Type | Required | Description | | ------ | ----------------------------- | -------- | ---------------------------------------- | | obj | object \| null \| undefined | yes | The object to inspect | | prop | string \| symbol | yes | The property name or symbol to check for |

Returns

boolean — true if the object has the property as its own property; otherwise false.

Throws

None — invalid inputs such as null or undefined are handled safely.

Security Considerations

  1. Resistant to prototype pollution attacks, such as modifying Object.prototype.hasOwnProperty.
  2. Safe when globals like Object.getOwnPropertyNames or Object.getOwnPropertySymbols are overridden.
  3. Can be safely used in environments where objects or globals may be partially polluted.