braces
Fast, comprehensive, bash-like brace expansion implemented in JavaScript. Complete support for the Bash 4.3 braces specification, without sacrificing speed.
Install
Install with npm:
$ npm install --save braces
Install with yarn:
$ yarn add braces
Usage
The main export is a function that takes a brace pattern
to expand and an options
object if necessary.
var braces = require('braces');
braces(pattern[, options]);
Why use braces?
- Safer: Braces isn't vulnerable to DoS attacks, unlike brace-expansion, minimatch and multimatch (this not the same DoS bug that was found in minimatch and multimatch recently)
- Accurate: complete support for the Bash 4.3 Brace Expansion specification (passes all of the Bash braces tests)
- fast and performant: not only runs fast, but scales well as patterns increase in complexity (other libs don't - see the notes on performance).
- Organized code base: with parser and compiler that are easy to maintain and update when edge cases crop up.
- Well-tested: 900+ unit tests with thousands of actual patterns tested. Passes 100% of the minimatch and brace-expansion unit tests as well.
- Optimized braces: By default returns an optimized string that can be used for creating regular expressions for matching.
- Expanded braces: Optionally returns an array (like bash). See a comparison between optimized and expanded.
Optimized vs. expanded braces
Optimized
Patterns are optimized for regex and matching by default:
console.log(braces('a/{x,y,z}/b'));
Expanded
To expand patterns the same way as Bash or minimatch, use the .expand method:
console.log(braces.expand('a/{x,y,z}/b'));
Or use options.expand:
console.log(braces('a/{x,y,z}/b', {expand: true}));
Features
- lists: Supports "lists":
a/{b,c}/d
=> ['a/b/d', 'a/c/d']
- sequences: Supports alphabetical or numerical "sequences" (ranges):
{1..3}
=> ['1', '2', '3']
- steps: Supports "steps" or increments:
{2..10..2}
=> ['2', '4', '6', '8', '10']
- escaping
- options
Lists
Uses fill-range for expanding alphabetical or numeric lists:
console.log(braces('a/{foo,bar,baz}/*.js'));
console.log(braces.expand('a/{foo,bar,baz}/*.js'));
Sequences
Uses fill-range for expanding alphabetical or numeric ranges (bash "sequences"):
console.log(braces.expand('{1..3}'));
console.log(braces.expand('a{01..03}b'));
console.log(braces.expand('a{1..3}b'));
console.log(braces.expand('{a..c}'));
console.log(braces.expand('foo/{a..c}'));
console.log(braces('a{01..03}b'));
console.log(braces('a{001..300}b'));
Steps
Steps, or increments, may be used with ranges:
console.log(braces.expand('{2..10..2}'));
console.log(braces('{2..10..2}'));
When the .optimize method is used, or options.optimize is set to true, sequences are passed to to-regex-range for expansion.
Nesting
Brace patterns may be nested. The results of each expanded string are not sorted, and left to right order is preserved.
"Expanded" braces
console.log(braces.expand('a{b,c,/{x,y}}/e'));
console.log(braces.expand('a/{x,{1..5},y}/c'));
"Optimized" braces
console.log(braces('a{b,c,/{x,y}}/e'));
console.log(braces('a/{x,{1..5},y}/c'));
Escaping
Escaping braces
A brace pattern will not be expanded or evaluted if either the opening or closing brace is escaped:
console.log(braces.expand('a\\{d,c,b}e'));
console.log(braces.expand('a{d,c,b\\}e'));
Escaping commas
Commas inside braces may also be escaped:
console.log(braces.expand('a{b\\,c}d'));
console.log(braces.expand('a{d\\,c,b}e'));
Single items
Following bash conventions, a brace pattern is also not expanded when it contains a single character:
console.log(braces.expand('a{b}c'));
Options
options.expand
Type: Boolean
Default: undefined
Description: Generate an "expanded" brace pattern (this option is unncessary with the .expand
method, which does the same thing).
console.log(braces('a/{b,c}/d', {expand: true}));
options.optimize
Type: Boolean
Default: true
Description: Enabled by default.
console.log(braces('a/{b,c}/d'));
options.nodupes
Type: Boolean
Default: true
Description: Duplicates are removed by default. To keep duplicates, pass {nodupes: false}
on the options
options.rangeLimit
Type: Number
Default: 250
Description: When braces.expand()
is used, or options.expand
is true, brace patterns will automatically be optimized when the difference between the range minimum and range maximum exceeds the rangeLimit
. This is to prevent huge ranges from freezing your application.
You can set this to any number, or change options.rangeLimit
to Inifinity
to disable this altogether.
Examples
console.log(braces.expand('{1..1000}'));
console.log(braces.expand('{1..100}'));
options.transform
Type: Function
Default: undefined
Description: Customize range expansion.
var range = braces.expand('x{a..e}y', {
transform: function(str) {
return 'foo' + str;
}
});
console.log(range);
options.quantifiers
Type: Boolean
Default: undefined
Description: In regular expressions, quanitifiers can be used to specify how many times a token can be repeated. For example, a{1,3}
will match the letter a
one to three times.
Unfortunately, regex quantifiers happen to share the same syntax as Bash lists
The quantifiers
option tells braces to detect when regex quantifiers are defined in the given pattern, and not to try to expand them as lists.
Examples
var braces = require('braces');
console.log(braces('a/b{1,3}/{x,y,z}'));
console.log(braces('a/b{1,3}/{x,y,z}', {quantifiers: true}));
console.log(braces('a/b{1,3}/{x,y,z}', {quantifiers: true, expand: true}));
options.unescape
Type: Boolean
Default: undefined
Description: Strip backslashes that were used for escaping from the result.
Benchmarks
Running benchmarks
Install dev dependencies:
npm i -d && npm benchmark
Latest results
Benchmarking: (8 of 8)
· combination-nested
· combination
· escaped
· list-basic
· list-multiple
· no-braces
· sequence-basic
· sequence-multiple
brace-expansion x 4,756 ops/sec ±1.09% (86 runs sampled)
braces x 11,202,303 ops/sec ±1.06% (88 runs sampled)
minimatch x 4,816 ops/sec ±0.99% (87 runs sampled)
fastest is braces
brace-expansion x 625 ops/sec ±0.87% (87 runs sampled)
braces x 11,031,884 ops/sec ±0.72% (90 runs sampled)
minimatch x 637 ops/sec ±0.84% (88 runs sampled)
fastest is braces
brace-expansion x 163,325 ops/sec ±1.05% (87 runs sampled)
braces x 10,655,071 ops/sec ±1.22% (88 runs sampled)
minimatch x 147,495 ops/sec ±0.96% (88 runs sampled)
fastest is braces
brace-expansion x 99,726 ops/sec ±1.07% (83 runs sampled)
braces x 10,596,584 ops/sec ±0.98% (88 runs sampled)
minimatch x 100,069 ops/sec ±1.17% (86 runs sampled)
fastest is braces
brace-expansion x 34,348 ops/sec ±1.08% (88 runs sampled)
braces x 9,264,131 ops/sec ±1.12% (88 runs sampled)
minimatch x 34,893 ops/sec ±0.87% (87 runs sampled)
fastest is braces
brace-expansion x 275,368 ops/sec ±1.18% (89 runs sampled)
braces x 9,134,677 ops/sec ±0.95% (88 runs sampled)
minimatch x 3,755,954 ops/sec ±1.13% (89 runs sampled)
fastest is braces
brace-expansion x 5,492 ops/sec ±1.35% (87 runs sampled)
braces x 8,485,034 ops/sec ±1.28% (89 runs sampled)
minimatch x 5,341 ops/sec ±1.17% (87 runs sampled)
fastest is braces
brace-expansion x 116 ops/sec ±0.77% (77 runs sampled)
braces x 9,445,118 ops/sec ±1.32% (84 runs sampled)
minimatch x 109 ops/sec ±1.16% (76 runs sampled)
fastest is braces
Performance
What's the big deal?
If you use globbing a lot, whether in your build tool chain or in your application, the speed of the glob matcher not only impacts your experience, but a slow glob matcher can slow everything else down, limitimg what you thought was possible in your application.
Braces is fast
minimatch gets exponentially slower as patterns increase in complexity, braces does not
Brace patterns are meant to be expanded - at least, if you're using Bash, that is. It's not at all unusual for users to want to use brace patterns for dates or similar ranges. It's also very easy to define a brace pattern that appears to be very simple but in fact is fairly complex.
For example, here is how generated regex size and processing time compare as patterns increase in complexity:
(the following results were generated using braces()
and minimatch.braceExpand()
)
Pattern | minimatch | braces |
---|
{1..9007199254740991} [^1] | N/A (freezes) | 300 B (12ms 878μs) |
{1..10000000} | 98.9 MB (20s 193ms 13μs) | 34 B (11ms 204μs) |
{1..1000000} | 8.89 MB (1s 838ms 718μs) | 33 B (1ms 761μs) |
{1..100000} | 789 kB (181ms 518μs) | 32 B (1ms 76μs) |
{1..10000} | 68.9 kB (17ms 436μs) | 31 B (1ms 382μs) |
{1..1000} | 5.89 kB (1ms 773μs) | 30 B (1ms 509μs) |
{1..100} | 491 B (321μs) | 24 B (309μs) |
{1..10} | 40 B (56μs) | 12 B (333μs) |
{1..3} | 11 B (80μs) | 9 B (370μs) |
These numbers are actually pretty small as far as numeric ranges are concerned. Regardless, we shouldn't have to consider such things when creating a glob pattern. The tool should get out of your way and let you be as creative as you want.
Braces is performant
Even when brace patterns are fully expanded, braces
is still much faster.
(the following results were generated using braces.expand()
and minimatch.braceExpand()
)
Pattern | minimatch | braces |
---|
a/{1..10000000} | 98.9 MB (19s 754ms 376μs) | 98.9 MB (5s 734ms 419μs) |
a/{1..1000000} | 8.89 MB (1s 866ms 968μs) | 8.89 MB (561ms 594μs) |
a/{1..100000} | 789 kB (178ms 311μs) | 789 kB (29ms 823μs) |
a/{1..10000} | 68.9 kB (17ms 692μs) | 68.9 kB (2ms 351μs) |
a/{1..1000} | 5.89 kB (1ms 823μs) | 5.89 kB (706μs) |
a/{1..100} | 491 B (609μs) | 491 B (267μs) |
a/{1..10} | 40 B (61μs) | 40 B (636μs) |
a/{1..3} | 11 B (206μs) | 11 B (207μs) |
Braces is fast
- caching
- parsing
- looping
- regex: smaller patterns, optimized to match faster
Braces was built from the ground up to be as performant as possible when matching, using a combination of the following:
- minimizes loops and iterating: the parser makes every effort to only evaluate each character in the pattern once.
- generates an optimized string: sequences/ranges are optimized by to-regex-range, which is not only highly accurate, but produces patterns that are a fraction of the size of patterns generated by other brace expansion libraries, such as Bash and minimatch (via brace-expansion)
- generates results faster: can handle even the most complex patterns that cause other implementations like minimatch and Bash to freeze or fail.
Braces is safe
Last, but perhaps most important of all, unlike brace-expansion and minimatch, braces will not freeze your application when a user passes a complex brace pattern.
The trouble with tribbles brace patterns
There are unlimited scenarios where brace patterns cause the resulting array to grow geometrically. If you define two brace patterns for example, the result is multiplicative if not exponential. For example, given the pattern {1..1000}
, we would end up with 1 thousand strings. But if two patterns are given, such as {1...1000}{1...1000}
, we would end up with 1 million strings.
It's easy to think, "I wouldn't do that", but that's not the point. Even though those example patterns are contrived:
- it's not uncommon for users to define brace patterns that result in similarly huge strings (consider date ranges
1-2016
, for example, and how easy it might be for someone to also add an alphabetical range if searching records of some kind) - we can't control how users define their patterns (and we shouldn't have to care)
- even if it's uncommon for user to define unwieldy patterns, there is still potential for intentionally exploiting this feature to cause a DoS in your application (and given that this is a not-very-technically-advanced method for causing a DoS - e.g. anyone can do it, you should be concerned!)
Potential for DoS attacks
Most brace expansion libraries, including Bash, minimatch, multimatch and brace-expansion are vulnerable to DoS attacks (similar to the ReDoS bug minimatch had recently).
Braces mitigates this risk in three ways:
- Braces prevents malicious strings from being used by checking the length of the input strings, as well as generated regex
- Braces optimizes the generated result by default, so that only one output string is generated for every input string.
- When .expand or options.expand are used, braces has checks in place to prevent huge ranges from being (accidentally) created. By default, when more than 250 strings will result from the given pattern, braces will optimize the result instead of expanding it. You can override this limit of 250 by passing a custom number on options.rangeLimit.
(you might also want to consider using micromatch for glob matching, as a safer alternative to minimatch and multimatch)
About
Related projects
- expand-brackets: Expand POSIX bracket expressions (character classes) in glob patterns. | homepage
- extglob: Extended glob support for JavaScript. Adds (almost) the expressive power of regular expressions to glob… more | homepage
- fill-range: Fill in a range of numbers or letters, optionally passing an increment or
step
to… more | homepage - micromatch: Glob matching for javascript/node.js. A drop-in replacement and faster alternative to minimatch and multimatch. | homepage
- nanomatch: Fast, minimal glob matcher for node.js. Similar to micromatch, minimatch and multimatch, but complete Bash… more | homepage
Contributing
Pull requests and stars are always welcome. For bugs and feature requests, please create an issue.
Contributors
Building docs
(This project's readme.md is generated by verb, please don't edit the readme directly. Any changes to the readme must be made in the .verb.md readme template.)
To generate the readme, run the following command:
$ npm install -g verbose/verb
Running tests
Running and reviewing unit tests is a great way to get familiarized with a library and its API. You can install dependencies and run tests with the following command:
$ npm install && npm test
Author
Jon Schlinkert
License
Copyright © 2017, Jon Schlinkert.
Released under the MIT License.
This file was generated by verb-generate-readme, v0.6.0, on April 26, 2017.