Research
Security News
Malicious npm Package Targets Solana Developers and Hijacks Funds
A malicious npm package targets Solana developers, rerouting funds in 2% of transactions to a hardcoded address.
async-lock
Advanced tools
The async-lock npm package is designed to handle synchronization issues in Node.js applications where asynchronous operations need to be executed in a controlled sequence. It provides a mechanism to ensure that certain sections of code that should not be executed concurrently can be locked to avoid race conditions and other concurrency-related bugs.
Locking asynchronous operations
This feature allows you to lock a section of asynchronous operations using a unique key. The lock ensures that only one block of code that uses the same key can execute at a time, preventing race conditions.
const AsyncLock = require('async-lock');
const lock = new AsyncLock();
lock.acquire('key', function(done) {
// async work
setTimeout(function() {
done(null, 'result');
}, 1000);
}, function(err, result) {
console.log(result); // prints 'result' after 1000ms
});
Promise support
Async-lock also supports promises, allowing you to use it in modern asynchronous workflows. This feature simplifies working with asynchronous operations by using promises instead of callbacks.
const AsyncLock = require('async-lock');
const lock = new AsyncLock();
lock.acquire('key', () => {
return new Promise(resolve => {
setTimeout(() => {
resolve('result');
}, 1000);
});
}).then(result => {
console.log(result); // prints 'result' after 1000ms
});
Mutexify is another npm package that provides a mutual exclusion lock. It is similar to async-lock but differs in its API and internal implementation. Mutexify uses a simpler queue mechanism and does not support timeouts or promise-based APIs, which makes async-lock more versatile for complex applications.
RWLock is a package that provides read and write locks, allowing multiple readers or a single writer. This is different from async-lock, which does not distinguish between read and write operations. RWLock is useful in scenarios where the distinction between read and write operations can optimize performance and resource utilization.
Lock on asynchronous code
I did not create this package, and I will not add any features to it myself. I was granted the ownership because it was no longer being maintained, and I volunteered to fix a bug.
If you have a new feature you would like to have incorporated, please send me a PR and I will be happy to work with you and get it merged. For any bugs, PRs are most welcome but when possible I will try to get them resolved as soon as possible.
Nodejs is single threaded, and the code execution never gets interrupted inside an event loop, so locking is unnecessary? This is true ONLY IF your critical section can be executed inside a single event loop. However, if you have any async code inside your critical section (it can be simply triggered by any I/O operation, or timer), your critical logic will across multiple event loops, therefore it's not concurrency safe!
Consider the following code
redis.get('key', function(err, value) {
redis.set('key', value * 2);
});
The above code simply multiply a redis key by 2. However, if two users run concurrently, the execution order may like this
user1: redis.get('key') -> 1
user2: redis.get('key') -> 1
user1: redis.set('key', 1 x 2) -> 2
user2: redis.set('key', 1 x 2) -> 2
Obviously it's not what you expected
With asyncLock, you can easily write your async critical section
lock.acquire('key', function(cb) {
// Concurrency safe
redis.get('key', function(err, value) {
redis.set('key', value * 2, cb);
});
}, function(err, ret) {
});
var AsyncLock = require('async-lock');
var lock = new AsyncLock();
/**
* @param {String|Array} key resource key or keys to lock
* @param {function} fn execute function
* @param {function} cb (optional) callback function, otherwise will return a promise
* @param {Object} opts (optional) options
*/
lock.acquire(key, function(done) {
// async work
done(err, ret);
}, function(err, ret) {
// lock released
}, opts);
// Promise mode
lock.acquire(key, function() {
// return value or promise
}, opts).then(function() {
// lock released
});
// Callback mode
lock.acquire(key, function(done) {
done(new Error('error'));
}, function(err, ret) {
console.log(err.message) // output: error
});
// Promise mode
lock.acquire(key, function() {
throw new Error('error');
}).catch(function(err) {
console.log(err.message) // output: error
});
lock.acquire([key1, key2], fn, cb);
Lock is reentrant in the same domain
var domain = require('domain');
var lock = new AsyncLock({domainReentrant : true});
var d = domain.create();
d.run(function() {
lock.acquire('key', function() {
//Enter lock
return lock.acquire('key', function() {
//Enter same lock twice
});
});
});
// Specify timeout - max amount of time an item can remain in the queue before acquiring the lock
var lock = new AsyncLock({timeout: 5000});
lock.acquire(key, fn, function(err, ret) {
// timed out error will be returned here if lock not acquired in given time
});
// Specify max occupation time - max amount of time allowed between entering the queue and completing execution
var lock = new AsyncLock({maxOccupationTime: 3000});
lock.acquire(key, fn, function(err, ret) {
// occupation time exceeded error will be returned here if job not completed in given time
});
// Specify max execution time - max amount of time allowed between acquiring the lock and completing execution
var lock = new AsyncLock({maxExecutionTime: 3000});
lock.acquire(key, fn, function(err, ret) {
// execution time exceeded error will be returned here if job not completed in given time
});
// Set max pending tasks - max number of tasks allowed in the queue at a time
var lock = new AsyncLock({maxPending: 1000});
lock.acquire(key, fn, function(err, ret) {
// Handle too much pending error
})
// Whether there is any running or pending async function
lock.isBusy();
// Use your own promise library instead of the global Promise variable
var lock = new AsyncLock({Promise: require('bluebird')}); // Bluebird
var lock = new AsyncLock({Promise: require('q')}); // Q
// Add a task to the front of the queue waiting for a given lock
lock.acquire(key, fn1, cb); // runs immediately
lock.acquire(key, fn2, cb); // added to queue
lock.acquire(key, priorityFn, cb, {skipQueue: true}); // jumps queue and runs before fn2
See Changelog
See issue tracker.
MIT, see LICENSE
FAQs
Lock on asynchronous code
The npm package async-lock receives a total of 1,692,110 weekly downloads. As such, async-lock popularity was classified as popular.
We found that async-lock demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
A malicious npm package targets Solana developers, rerouting funds in 2% of transactions to a hardcoded address.
Security News
Research
Socket researchers have discovered malicious npm packages targeting crypto developers, stealing credentials and wallet data using spyware delivered through typosquats of popular cryptographic libraries.
Security News
Socket's package search now displays weekly downloads for npm packages, helping developers quickly assess popularity and make more informed decisions.