Security News
Input Validation Vulnerabilities Dominate MITRE's 2024 CWE Top 25 List
MITRE's 2024 CWE Top 25 highlights critical software vulnerabilities like XSS, SQL Injection, and CSRF, reflecting shifts due to a refined ranking methodology.
babel-plugin-typecheck
Advanced tools
Transforms flow type annotations into runtime type checks.
This is a Babel plugin for static and runtime type checking using flow type annotations.
Note: Now requires babel 6.1, babel 5 users see the 2.x branch.
Turns code like this:
function sendMessage (to: User, message: string): boolean {
return socket.send(to, message);
}
into code like this:
function sendMessage(to, message) {
var _socket$send;
if (!(to instanceof User)) throw new TypeError("Value of argument 'to' violates contract.");
if (typeof message !== "string") throw new TypeError("Value of argument 'message' violates contract.");
_socket$send = socket.send(to, message);
if (typeof _socket$send !== "boolean") throw new TypeError("Function 'sendMessage' return value violates contract.");
return _socket$send;
}
And guards against some silly mistakes, for example the following code will fail to compile with a SyntaxError
, because the function can return the wrong type.
function foo (): boolean {
if (Math.random() > 0.5) {
return "yes"; // <-- SyntaxError - string is not boolean
}
else {
return false;
}
}
function bar (input: string = 123): string { // <-- SyntaxError: default value is not string
return input + "456";
}
First, install via npm.
npm install --save-dev babel-plugin-typecheck
Then, in your babel configuration (usually in your .babelrc
file), add "typecheck"
to your list of plugins:
{
"plugins": [
["typecheck", {
"disable": {
"production": true
}
}]
]
}
The example configuration will disable typecheck when NODE_ENV=production
which is usually preferable for performance reasons.
Important: This plugin has a dependency on babel-plugin-syntax-flow
and babel-plugin-transform-flow-strip-types
.
Without syntax-flow
, babel will be unable to parse the flow annotation syntax.
Without transform-flow-strip-types
, the type annotations will be included in the output which will make it unparsable by JS engines.
If you are not already using the babel-preset-react
plugin, you must install those plugins and include them in your babel configuration (usually .babelrc
). Put them after typecheck
in the list, e.g.
{
"plugins": ["typecheck", "syntax-flow", "transform-flow-strip-types"]
}
If you are using babel-preset-react
you can ignore this warning.
Note Depending on your babel configuration you may encounter issues where typecheck interferes with other transformations. This can almost always be fixed by adjusting your preset order and setting
"passPerPreset": true
in your.babelrc
.
The basic format is similar to Flow Type Annotations.
Here are a few examples of annotations this plugin supports:
function foo(
aNum: number,
anOptionalString: ?string, // will allow null/undefined
anObject: Object,
aDate: Date,
anError: Error,
aUnionType: Object|string,
aClass: User,
aShape: {foo: number, bar: ?string},
anArray: Array,
arrayOf: string[] | Array<string>,
{x, y}: {x: string, y: number}, // destructuring works
es6Defaults: number = 42
) : number {
return aNum;
}
You can reuse types across modules using an extension of the ES6 module syntax:
places.js:
export type CsvDataType = Array<Array<String>>;
export type LocationType = {
country: string,
sourceNid: string,
locationNid: string,
name: string,
url: string,
alternativeUrl: ?string,
street1: ?string
};
widget.js:
import type {
CsvDataType,
LocationType
} from './places';
// You can now use CsvDataType and LocationType just like any other type.
Note that in contrast to flow, an imported type must be an actual type and cannot be a class or other concrete value.
In cases where typecheck can statically verify that the return value is of the correct type, no type checks will be inserted, for instance:
function bar (): string|Object {
if (Math.random() > 0.5) {
return "yes";
}
else {
return {
message: "no"
};
}
}
will produce no type checks at all, because we can trivially tell that the function can only return one of the two permitted types. This is also true for simple cases like:
function createUser (): User {
return new User(); // <-- no typecheck required
}
This is currently quite limited though, as the plugin can only statically infer the types of literals and very simple expressions, it can't (yet) statically verify e.g. the result of a function call. In those cases a runtime type check is required:
function createUser (): User {
return User.create(); // <-- produces runtime typecheck
}
Supports various number types:
Example:
function demo (input: uint8): uint16 {
return input * input;
}
demo(1); // ok
demo(128); // ok
demo(255); // ok
demo(-1); // TypeError
demo(12.34); // TypeError
demo(1024); // TypeError
demo('nope'); // TypeError
type Foo = string|number;
function demo (input: Foo): string {
return input + ' world';
}
demo('hello'); // ok
demo(123); // ok
demo(["not", "a", "Foo"]); // fails
function demo (input: string): string[] {
return makeArray(input); // no return type check required, knows that makeArray is compatible
}
function makeArray (input: string): string[] {
return [input];
}
function demo (input: string): User {
const user = new User({name: input});
return user; // No check required, knows that user is the correct type
}
let name: string = "bob";
name = "Bob"; // ok
name = makeString(); // ok
name = 123; // SyntaxError, expected string not number
function makeString (): string {
return "Sally";
}
let name: string = "bob";
name = "Bob";
((name: number) = 123);
name = 456;
name = "fish"; // SyntaxError, expected number;
function demo (input: string[]): number {
return input.length;
}
demo(["a", "b", "c"]); // ok
demo([1, 2, 3]); // TypeError
type User = {
name: string;
email: string;
};
function demo (input: User): string {
return input.name;
}
demo({}); // TypeError
demo({name: 123, email: "test@test.com"}); // TypeError
demo({name: "test", email: "test@test.com"}); // ok
Sometimes you might need to disable type checking for a particular file or section of code. To ignore an entire file, add a comment at the top level scope of the file:
// typecheck: ignore file
export function wrong (input: string = 123): boolean {
return input + ' nope';
}
To ignore a particular statement:
let foo: string = "hello world";
// typecheck: ignore statement
foo = 123;
Note: Because of how typecheck works, it's not possible to ignore individual lines, only entire statements or files. So if you ignore e.g. an if statement, the entire body of that statement will be ignored.
You can also control the disabling and enabling of type checking using the plugin options and the @typecheck
pragma. Type checking will be enabled only for files where any of the configured only
values are found in the @typecheck
pragma. With babel configuration:
"plugins": [
["typecheck", { only: ["production", "test"] }],
...
]
This file would have typechecks enabled
// @typecheck: production, some
Whereas this file would not:
// @typecheck: any, some
Published by codemix under a permissive MIT License, see LICENSE.md.
FAQs
Transforms flow type annotations into runtime type checks.
The npm package babel-plugin-typecheck receives a total of 3,252 weekly downloads. As such, babel-plugin-typecheck popularity was classified as popular.
We found that babel-plugin-typecheck demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
MITRE's 2024 CWE Top 25 highlights critical software vulnerabilities like XSS, SQL Injection, and CSRF, reflecting shifts due to a refined ranking methodology.
Security News
In this segment of the Risky Business podcast, Feross Aboukhadijeh and Patrick Gray discuss the challenges of tracking malware discovered in open source softare.
Research
Security News
A threat actor's playbook for exploiting the npm ecosystem was exposed on the dark web, detailing how to build a blockchain-powered botnet.