Research
Security News
Malicious npm Packages Inject SSH Backdoors via Typosquatted Libraries
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
@smeijer/ky
Advanced tools
[!NOTE] This is a fork of ky to add common-js support. See smeijer/ky for the code that builds this package, or sindresorhus/ky for the original source.
Sindre's open source work is supported by the community.
Special thanks to:
Ky is a tiny and elegant HTTP client based on the Fetch API
Ky targets modern browsers, Node.js, Bun, and Deno.
It's just a tiny package with no dependencies.
fetch
ky.post()
).json()
supports generics and defaults to unknown
, not any
)npm install ky
import ky from 'ky';
const json = await ky.post('https://example.com', {json: {foo: true}}).json();
console.log(json);
//=> `{data: '🦄'}`
With plain fetch
, it would be:
class HTTPError extends Error {}
const response = await fetch('https://example.com', {
method: 'POST',
body: JSON.stringify({foo: true}),
headers: {
'content-type': 'application/json'
}
});
if (!response.ok) {
throw new HTTPError(`Fetch error: ${response.statusText}`);
}
const json = await response.json();
console.log(json);
//=> `{data: '🦄'}`
If you are using Deno, import Ky from a URL. For example, using a CDN:
import ky from 'https://esm.sh/ky';
The input
and options
are the same as fetch
, with additional options
available (see below).
Returns a Response
object with Body
methods added for convenience. So you can, for example, call ky.get(input).json()
directly without having to await the Response
first. When called like that, an appropriate Accept
header will be set depending on the body method used. Unlike the Body
methods of window.Fetch
; these will throw an HTTPError
if the response status is not in the range of 200...299
. Also, .json()
will return an empty string if body is empty or the response status is 204
instead of throwing a parse error due to an empty body.
import ky from 'ky';
const user = await ky('/api/user').json();
console.log(user);
⌨️ TypeScript: Accepts an optional type parameter, which defaults to unknown
, and is passed through to the return type of .json()
.
import ky from 'ky';
// user1 is unknown
const user1 = await ky('/api/users/1').json();
// user2 is a User
const user2 = await ky<User>('/api/users/2').json();
// user3 is a User
const user3 = await ky('/api/users/3').json<User>();
console.log([user1, user2, user3]);
Sets options.method
to the method name and makes a request.
⌨️ TypeScript: Accepts an optional type parameter for use with JSON responses (see ky()
).
Type: string
| URL
| Request
Same as fetch
input.
When using a Request
instance as input
, any URL altering options (such as prefixUrl
) will be ignored.
Type: object
Same as fetch
options, plus the following additional options:
Type: string
Default: 'get'
HTTP method used to make the request.
Internally, the standard methods (GET
, POST
, PUT
, PATCH
, HEAD
and DELETE
) are uppercased in order to avoid server errors due to case sensitivity.
Type: object
and any other value accepted by JSON.stringify()
Shortcut for sending JSON. Use this instead of the body
option. Accepts any plain object or value, which will be JSON.stringify()
'd and sent in the body with the correct header set.
Type: string | object<string, string | number | boolean> | Array<Array<string | number | boolean>> | URLSearchParams
Default: ''
Search parameters to include in the request URL. Setting this will override all existing search parameters in the input URL.
Accepts any value supported by URLSearchParams()
.
Type: string | URL
A prefix to prepend to the input
URL when making the request. It can be any valid URL, either relative or absolute. A trailing slash /
is optional and will be added automatically, if needed, when it is joined with input
. Only takes effect when input
is a string. The input
argument cannot start with a slash /
when using this option.
Useful when used with ky.extend()
to create niche-specific Ky-instances.
import ky from 'ky';
// On https://example.com
const response = await ky('unicorn', {prefixUrl: '/api'});
//=> 'https://example.com/api/unicorn'
const response2 = await ky('unicorn', {prefixUrl: 'https://cats.com'});
//=> 'https://cats.com/unicorn'
Notes:
prefixUrl
and input
are joined, the result is resolved against the base URL of the page (if any).input
are disallowed when using this option to enforce consistency and avoid confusion about how the input
URL is handled, given that input
will not follow the normal URL resolution rules when prefixUrl
is being used, which changes the meaning of a leading slash.Type: object | number
Default:
limit
: 2
methods
: get
put
head
delete
options
trace
statusCodes
: 408
413
429
500
502
503
504
afterStatusCodes
: 413
, 429
, 503
maxRetryAfter
: undefined
backoffLimit
: undefined
delay
: attemptCount => 0.3 * (2 ** (attemptCount - 1)) * 1000
An object representing limit
, methods
, statusCodes
, afterStatusCodes
, and maxRetryAfter
fields for maximum retry count, allowed methods, allowed status codes, status codes allowed to use the Retry-After
time, and maximum Retry-After
time.
If retry
is a number, it will be used as limit
and other defaults will remain in place.
If the response provides an HTTP status contained in afterStatusCodes
, Ky will wait until the date, timeout, or timestamp given in the Retry-After
header has passed to retry the request. If Retry-After
is missing, the non-standard RateLimit-Reset
header is used in its place as a fallback. If the provided status code is not in the list, the Retry-After
header will be ignored.
If maxRetryAfter
is set to undefined
, it will use options.timeout
. If Retry-After
header is greater than maxRetryAfter
, it will use maxRetryAfter
.
The backoffLimit
option is the upper limit of the delay per retry in milliseconds.
To clamp the delay, set backoffLimit
to 1000, for example.
By default, the delay is calculated with 0.3 * (2 ** (attemptCount - 1)) * 1000
. The delay increases exponentially.
The delay
option can be used to change how the delay between retries is calculated. The function receives one parameter, the attempt count, starting at 1
.
Retries are not triggered following a timeout.
import ky from 'ky';
const json = await ky('https://example.com', {
retry: {
limit: 10,
methods: ['get'],
statusCodes: [413],
backoffLimit: 3000
}
}).json();
Type: number | false
Default: 10000
Timeout in milliseconds for getting a response, including any retries. Can not be greater than 2147483647.
If set to false
, there will be no timeout.
Type: object<string, Function[]>
Default: {beforeRequest: [], beforeRetry: [], afterResponse: []}
Hooks allow modifications during the request lifecycle. Hook functions may be async and are run serially.
Type: Function[]
Default: []
This hook enables you to modify the request right before it is sent. Ky will make no further changes to the request after this. The hook function receives request
and options
as arguments. You could, for example, modify the request.headers
here.
The hook can return a Request
to replace the outgoing request, or return a Response
to completely avoid making an HTTP request. This can be used to mock a request, check an internal cache, etc. An important consideration when returning a request or response from this hook is that any remaining beforeRequest
hooks will be skipped, so you may want to only return them from the last hook.
import ky from 'ky';
const api = ky.extend({
hooks: {
beforeRequest: [
request => {
request.headers.set('X-Requested-With', 'ky');
}
]
}
});
const response = await api.get('https://example.com/api/users');
Type: Function[]
Default: []
This hook enables you to modify the request right before retry. Ky will make no further changes to the request after this. The hook function receives an object with the normalized request and options, an error instance, and the retry count. You could, for example, modify request.headers
here.
If the request received a response, the error will be of type HTTPError
and the Response
object will be available at error.response
. Be aware that some types of errors, such as network errors, inherently mean that a response was not received. In that case, the error will not be an instance of HTTPError
.
You can prevent Ky from retrying the request by throwing an error. Ky will not handle it in any way and the error will be propagated to the request initiator. The rest of the beforeRetry
hooks will not be called in this case. Alternatively, you can return the ky.stop
symbol to do the same thing but without propagating an error (this has some limitations, see ky.stop
docs for details).
import ky from 'ky';
const response = await ky('https://example.com', {
hooks: {
beforeRetry: [
async ({request, options, error, retryCount}) => {
const token = await ky('https://example.com/refresh-token');
request.headers.set('Authorization', `token ${token}`);
}
]
}
});
Type: Function[]
Default: []
This hook enables you to modify the HTTPError
right before it is thrown. The hook function receives a HTTPError
as an argument and should return an instance of HTTPError
.
import ky from 'ky';
await ky('https://example.com', {
hooks: {
beforeError: [
error => {
const {response} = error;
if (response && response.body) {
error.name = 'GitHubError';
error.message = `${response.body.message} (${response.status})`;
}
return error;
}
]
}
});
Type: Function[]
Default: []
This hook enables you to read and optionally modify the response. The hook function receives normalized request, options, and a clone of the response as arguments. The return value of the hook function will be used by Ky as the response object if it's an instance of Response
.
import ky from 'ky';
const response = await ky('https://example.com', {
hooks: {
afterResponse: [
(_request, _options, response) => {
// You could do something with the response, for example, logging.
log(response);
// Or return a `Response` instance to overwrite the response.
return new Response('A different response', {status: 200});
},
// Or retry with a fresh token on a 403 error
async (request, options, response) => {
if (response.status === 403) {
// Get a fresh token
const token = await ky('https://example.com/token').text();
// Retry with the token
request.headers.set('Authorization', `token ${token}`);
return ky(request);
}
}
]
}
});
Type: boolean
Default: true
Throw an HTTPError
when, after following redirects, the response has a non-2xx status code. To also throw for redirects instead of following them, set the redirect
option to 'manual'
.
Setting this to false
may be useful if you are checking for resource availability and are expecting error responses.
Note: If false
, error responses are considered successful and the request will not be retried.
Type: Function
Download progress event handler.
The function receives a progress
and chunk
argument:
progress
object contains the following elements: percent
, transferredBytes
and totalBytes
. If it's not possible to retrieve the body size, totalBytes
will be 0
.chunk
argument is an instance of Uint8Array
. It's empty for the first call.import ky from 'ky';
const response = await ky('https://example.com', {
onDownloadProgress: (progress, chunk) => {
// Example output:
// `0% - 0 of 1271 bytes`
// `100% - 1271 of 1271 bytes`
console.log(`${progress.percent * 100}% - ${progress.transferredBytes} of ${progress.totalBytes} bytes`);
}
});
Type: Function
Default: JSON.parse()
User-defined JSON-parsing function.
Use-cases:
bourne
package to protect from prototype pollution.reviver
option of JSON.parse()
.import ky from 'ky';
import bourne from '@hapijs/bourne';
const json = await ky('https://example.com', {
parseJson: text => bourne(text)
}).json();
Type: Function
Default: JSON.stringify()
User-defined JSON-stringifying function.
Use-cases:
replacer
function.import ky from 'ky';
import {DateTime} from 'luxon';
const json = await ky('https://example.com', {
stringifyJson: data => JSON.stringify(data, (key, value) => {
if (key.endsWith('_at')) {
return DateTime.fromISO(value).toSeconds();
}
return value;
})
}).json();
Type: Function
Default: fetch
User-defined fetch
function.
Has to be fully compatible with the Fetch API standard.
Use-cases:
fetch
implementations like isomorphic-unfetch
.fetch
wrapper function provided by some frameworks that use server-side rendering (SSR).import ky from 'ky';
import fetch from 'isomorphic-unfetch';
const json = await ky('https://example.com', {fetch}).json();
Create a new ky
instance with some defaults overridden with your own.
In contrast to ky.create()
, ky.extend()
inherits defaults from its parent.
You can pass headers as a Headers
instance or a plain object.
You can remove a header with .extend()
by passing the header with an undefined
value.
Passing undefined
as a string removes the header only if it comes from a Headers
instance.
Similarly, you can remove existing hooks
entries by extending the hook with an explicit undefined
.
import ky from 'ky';
const url = 'https://sindresorhus.com';
const original = ky.create({
headers: {
rainbow: 'rainbow',
unicorn: 'unicorn'
},
hooks: {
beforeRequest: [ () => console.log('before 1') ],
afterResponse: [ () => console.log('after 1') ],
},
});
const extended = original.extend({
headers: {
rainbow: undefined
},
hooks: {
beforeRequest: undefined,
afterResponse: [ () => console.log('after 2') ],
}
});
const response = await extended(url).json();
//=> after 1
//=> after 2
console.log('rainbow' in response);
//=> false
console.log('unicorn' in response);
//=> true
You can also refer to parent defaults by providing a function to .extend()
.
import ky from 'ky';
const api = ky.create({prefixUrl: 'https://example.com/api'});
const usersApi = api.extend((options) => ({prefixUrl: `${options.prefixUrl}/users`}));
const response = await usersApi.get('123');
//=> 'https://example.com/api/users/123'
const response = await api.get('version');
//=> 'https://example.com/api/version'
Create a new Ky instance with complete new defaults.
import ky from 'ky';
// On https://my-site.com
const api = ky.create({prefixUrl: 'https://example.com/api'});
const response = await api.get('users/123');
//=> 'https://example.com/api/users/123'
const response = await api.get('/status', {prefixUrl: ''});
//=> 'https://my-site.com/status'
Type: object
A Symbol
that can be returned by a beforeRetry
hook to stop the retry. This will also short circuit the remaining beforeRetry
hooks.
Note: Returning this symbol makes Ky abort and return with an undefined
response. Be sure to check for a response before accessing any properties on it or use optional chaining. It is also incompatible with body methods, such as .json()
or .text()
, because there is no response to parse. In general, we recommend throwing an error instead of returning this symbol, as that will cause Ky to abort and then throw, which avoids these limitations.
A valid use-case for ky.stop
is to prevent retries when making requests for side effects, where the returned data is not important. For example, logging client activity to the server.
import ky from 'ky';
const options = {
hooks: {
beforeRetry: [
async ({request, options, error, retryCount}) => {
const shouldStopRetry = await ky('https://example.com/api');
if (shouldStopRetry) {
return ky.stop;
}
}
]
}
};
// Note that response will be `undefined` in case `ky.stop` is returned.
const response = await ky.post('https://example.com', options);
// Using `.text()` or other body methods is not supported.
const text = await ky('https://example.com', options).text();
Exposed for instanceof
checks. The error has a response
property with the Response
object, request
property with the Request
object, and options
property with normalized options (either passed to ky
when creating an instance with ky.create()
or directly when performing the request).
If you need to read the actual response when an HTTPError
has occurred, call the respective parser method on the response object. For example:
try {
await ky('https://example.com').json();
} catch (error) {
if (error.name === 'HTTPError') {
const errorJson = await error.response.json();
}
}
⌨️ TypeScript: Accepts an optional type parameter, which defaults to unknown
, and is passed through to the return type of error.response.json()
.
The error thrown when the request times out. It has a request
property with the Request
object.
Sending form data in Ky is identical to fetch
. Just pass a FormData
instance to the body
option. The Content-Type
header will be automatically set to multipart/form-data
.
import ky from 'ky';
// `multipart/form-data`
const formData = new FormData();
formData.append('food', 'fries');
formData.append('drink', 'icetea');
const response = await ky.post(url, {body: formData});
If you want to send the data in application/x-www-form-urlencoded
format, you will need to encode the data with URLSearchParams
.
import ky from 'ky';
// `application/x-www-form-urlencoded`
const searchParams = new URLSearchParams();
searchParams.set('food', 'fries');
searchParams.set('drink', 'icetea');
const response = await ky.post(url, {body: searchParams});
Content-Type
Ky automatically sets an appropriate Content-Type
header for each request based on the data in the request body. However, some APIs require custom, non-standard content types, such as application/x-amz-json-1.1
. Using the headers
option, you can manually override the content type.
import ky from 'ky';
const json = await ky.post('https://example.com', {
headers: {
'content-type': 'application/json'
},
json: {
foo: true
},
}).json();
console.log(json);
//=> `{data: '🦄'}`
Fetch (and hence Ky) has built-in support for request cancellation through the AbortController
API. Read more.
Example:
import ky from 'ky';
const controller = new AbortController();
const {signal} = controller;
setTimeout(() => {
controller.abort();
}, 5000);
try {
console.log(await ky(url, {signal}).text());
} catch (error) {
if (error.name === 'AbortError') {
console.log('Fetch aborted');
} else {
console.error('Fetch error:', error);
}
}
Node.js 18 and later supports fetch
natively, so you can just use this package directly.
Same as above.
Either use a test runner that can run in the browser, like Mocha, or use AVA with ky-universal
. Read more.
Make sure your code is running as a JavaScript module (ESM), for example by using a <script type="module">
tag in your HTML document. Then Ky can be imported directly by that module without a bundler or other tools.
<script type="module">
import ky from 'https://unpkg.com/ky/distribution/index.js';
const json = await ky('https://jsonplaceholder.typicode.com/todos/1').json();
console.log(json.title);
//=> 'delectus aut autem'
</script>
got
See my answer here. Got is maintained by the same people as Ky.
axios
?See my answer here.
r2
?See my answer in #10.
ky
mean?It's just a random short npm package name I managed to get. It does, however, have a meaning in Japanese:
A form of text-able slang, KY is an abbreviation for 空気読めない (kuuki yomenai), which literally translates into “cannot read the air.” It's a phrase applied to someone who misses the implied meaning.
The latest version of Chrome, Firefox, and Safari.
Node.js 18 and later.
FAQs
Tiny and elegant HTTP client based on the Fetch API
The npm package @smeijer/ky receives a total of 7,650 weekly downloads. As such, @smeijer/ky popularity was classified as popular.
We found that @smeijer/ky demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 0 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
Security News
MITRE's 2024 CWE Top 25 highlights critical software vulnerabilities like XSS, SQL Injection, and CSRF, reflecting shifts due to a refined ranking methodology.
Security News
In this segment of the Risky Business podcast, Feross Aboukhadijeh and Patrick Gray discuss the challenges of tracking malware discovered in open source softare.