Security News
pnpm 10.0.0 Blocks Lifecycle Scripts by Default
pnpm 10 blocks lifecycle scripts by default to improve security, addressing supply chain attack risks but sparking debate over compatibility and workflow changes.
Full featured Promises/A+ implementation with exceptionally good performance
Bluebird is a fully-featured Promise library for JavaScript. It allows for advanced features such as promise chaining, concurrency control, and error handling. It is known for its performance and useful utilities for working with asynchronous operations in JavaScript.
Promisification
Converts Node.js callback-style functions to return a Bluebird promise. In this example, the 'fs' module's 'readFile' function is promisified to use promises instead of callbacks.
const Promise = require('bluebird');
const fs = Promise.promisifyAll(require('fs'));
fs.readFileAsync('example.txt', 'utf8').then(contents => {
console.log(contents);
}).catch(error => {
console.error('Error reading file', error);
});
Promise Chaining
Allows for chaining multiple asynchronous operations where each step waits for the previous one to complete. Errors can be caught and handled gracefully.
const Promise = require('bluebird');
Promise.resolve(1)
.then(x => x + 1)
.then(x => { throw new Error('Something went wrong'); })
.catch(Error, e => console.error(e.message));
Concurrency Control
Provides utilities to control the concurrency of multiple promises. The 'map' function here runs a maximum of two promises in parallel.
const Promise = require('bluebird');
const tasks = [/* array of functions that return promises */];
Promise.map(tasks, task => task(), { concurrency: 2 })
.then(results => {
console.log('All tasks completed', results);
});
Error Handling
Offers a clean syntax for error handling in promise chains. The 'try' method is used to start a promise chain with error handling.
const Promise = require('bluebird');
Promise.try(() => {
throw new Error('Something failed');
}).catch(Error, e => {
console.error('Caught an error:', e.message);
});
Q is an earlier promise library that provides similar features to Bluebird, such as promise creation, chaining, and advanced error handling. However, Bluebird is generally considered to be faster and more feature-rich.
When.js is another promise library with API methods for creating and working with promises. It is smaller and has a simpler API compared to Bluebird, but lacks some of the utilities and performance optimizations.
ES6-Promise is a polyfill for the ES6 Promise specification. It provides basic promise functionality but does not include the additional utilities and features that Bluebird offers.
This package is a simple implementation of Promises/A+. It is lightweight and doesn't have the extra features that Bluebird provides, focusing instead on a minimal API.
Got a question? Join us on stackoverflow, the mailing list or chat on IRC
Bluebird is a fully featured promise library with focus on innovative features and performance
with
/C# using
async
and await
npm install bluebird
Then:
var Promise = require("bluebird");
There are many ways to use bluebird in browsers:
When using script tags the global variables Promise
and P
(alias for Promise
) become available.
A minimal bluebird browser build is ≈38.92KB minified*, 11.65KB gzipped and has no external dependencies.
*Google Closure Compiler using Simple.
Browsers that implement ECMA-262, edition 3 and later are supported.
Note that in ECMA-262, edition 3 (IE7, IE8 etc.) it is not possible to use methods that have keyword names like .catch
and .finally
. The API documentation always lists a compatible alternative name that you can use if you need to support these browsers. For example .catch
is replaced with .caught
and .finally
with .lastly
.
Also, long stack trace support is only available in Chrome, Firefox and Internet Explorer 10+.
After quick start, see API Reference and examples
You should use promises to turn this:
fs.readFile("file.json", function(err, val) {
if( err ) {
console.error("unable to read file");
}
else {
try {
val = JSON.parse(val);
console.log(val.success);
}
catch( e ) {
console.error("invalid json in file");
}
}
});
Into this:
fs.readFileAsync("file.json").then(JSON.parse).then(function(val) {
console.log(val.success);
})
.catch(SyntaxError, function(e) {
console.error("invalid json in file");
})
.catch(function(e) {
console.error("unable to read file");
});
If you are wondering "there is no readFileAsync
method on fs
that returns a promise", see promisification
Actually you might notice the latter has a lot in common with code that would do the same using synchronous I/O:
try {
var val = JSON.parse(fs.readFileSync("file.json"));
console.log(val.success);
}
//Syntax actually not supported in JS but drives the point
catch(SyntaxError e) {
console.error("invalid json in file");
}
catch(Error e) {
console.error("unable to read file");
}
And that is the point - being able to have something that is a lot like return
and throw
in synchronous code.
You can also use promises to improve code that was written with callback helpers:
//Copyright Plato http://stackoverflow.com/a/19385911/995876
//CC BY-SA 2.5
mapSeries(URLs, function (URL, done) {
var options = {};
needle.get(URL, options, function (error, response, body) {
if (error) {
return done(error);
}
try {
var ret = JSON.parse(body);
return done(null, ret);
}
catch (e) {
done(e);
}
});
}, function (err, results) {
if (err) {
console.log(err);
} else {
console.log('All Needle requests successful');
// results is a 1 to 1 mapping in order of URLs > needle.body
processAndSaveAllInDB(results, function (err) {
if (err) {
return done(err);
}
console.log('All Needle requests saved');
done(null);
});
}
});
Is more pleasing to the eye when done with promises:
Promise.promisifyAll(needle);
var options = {};
var current = Promise.resolve();
Promise.map(URLs, function(URL) {
current = current.then(function () {
return needle.getAsync(URL, options);
});
return current;
}).map(function(responseAndBody){
return JSON.parse(responseAndBody[1]);
}).then(function (results) {
return processAndSaveAllInDB(results);
}).then(function(){
console.log('All Needle requests saved');
}).catch(function (e) {
console.log(e);
});
Also promises don't just give you correspondences for synchronous features but can also be used as limited event emitters or callback aggregators.
More reading:
The github issue tracker is only for bug reports and feature requests. Anything else, such as questions for help in using the library, should be posted in StackOverflow under tags promise
and bluebird
.
This is a problem every promise library needs to handle in some way. Unhandled rejections/exceptions don't really have a good agreed-on asynchronous correspondence. The problem is that it is impossible to predict the future and know if a rejected promise will eventually be handled.
There are two common pragmatic attempts at solving the problem that promise libraries do.
The more popular one is to have the user explicitly communicate that they are done and any unhandled rejections should be thrown, like so:
download().then(...).then(...).done();
For handling this problem, in my opinion, this is completely unacceptable and pointless. The user must remember to explicitly call .done
and that cannot be justified when the problem is forgetting to create an error handler in the first place.
The second approach, which is what bluebird by default takes, is to call a registered handler if a rejection is unhandled by the start of a second turn. The default handler is to write the stack trace to stderr
or console.error
in browsers. This is close to what happens with synchronous code - your code doesn't work as expected and you open console and see a stack trace. Nice.
Of course this is not perfect, if your code for some reason needs to swoop in and attach error handler to some promise after the promise has been hanging around a while then you will see annoying messages. In that case you can use the .done()
method to signal that any hanging exceptions should be thrown.
If you want to override the default handler for these possibly unhandled rejections, you can pass yours like so:
Promise.onPossiblyUnhandledRejection(function(error){
throw error;
});
If you want to also enable long stack traces, call:
Promise.longStackTraces();
right after the library is loaded.
In node.js use the environment flag BLUEBIRD_DEBUG
:
BLUEBIRD_DEBUG=1 node server.js
to enable long stack traces in all instances of bluebird.
Long stack traces cannot be disabled after being enabled, and cannot be enabled after promises have already been created. Long stack traces imply a substantial performance penalty, even after using every trick to optimize them.
Long stack traces are enabled by default in the debug build.
A practical problem with Promises/A+ is that it models Javascript try-catch
too closely for its own good. Therefore by default promises inherit try-catch
warts such as the inability to specify the error types that the catch block is eligible for. It is an anti-pattern in every other language to use catch-all handlers because they swallow exceptions that you might not know about.
Now, Javascript does have a perfectly fine and working way of creating error type hierarchies. It is still quite awkward to use them with the built-in try-catch
however:
try {
//code
}
catch(e) {
if( e instanceof WhatIWantError) {
//handle
}
else {
throw e;
}
}
Without such checking, unexpected errors would be silently swallowed. However, with promises, bluebird brings the future (hopefully) here now and extends the .catch
to accept potential error type eligibility.
For instance here it is expected that some evil or incompetent entity will try to crash our server from SyntaxError
by providing syntactically invalid JSON:
getJSONFromSomewhere().then(function(jsonString) {
return JSON.parse(jsonString);
}).then(function(object) {
console.log("it was valid json: ", object);
}).catch(SyntaxError, function(e){
console.log("don't be evil");
});
Here any kind of unexpected error will be automatically reported on stderr
along with a stack trace because we only register a handler for the expected SyntaxError
.
Ok, so, that's pretty neat. But actually not many libraries define error types and it is in fact a complete ghetto out there with ad hoc strings being attached as some arbitrary property name like .name
, .type
, .code
, not having any property at all or even throwing strings as errors and so on. So how can we still listen for expected errors?
Bluebird defines a special error type OperationalError
(you can get a reference from Promise.OperationalError
). This type of error is given as rejection reason by promisified methods when
their underlying library gives an untyped, but expected error. Primitives such as strings, and error objects that are directly created like new Error("database didn't respond")
are considered untyped.
Example of such library is the node core library fs
. So if we promisify it, we can catch just the errors we want pretty easily and have programmer errors be redirected to unhandled rejection handler so that we notice them:
//Read more about promisification in the API Reference:
//API.md
var fs = Promise.promisifyAll(require("fs"));
fs.readFileAsync("myfile.json").then(JSON.parse).then(function (json) {
console.log("Successful json");
}).catch(SyntaxError, function (e) {
console.error("file contains invalid json");
}).catch(Promise.OperationalError, function (e) {
console.error("unable to read file, because: ", e.message);
});
The last catch
handler is only invoked when the fs
module explicitly used the err
argument convention of async callbacks to inform of an expected error. The OperationalError
instance will contain the original error in its .cause
property but it does have a direct copy of the .message
and .stack
too. In this code any unexpected error - be it in our code or the fs
module - would not be caught by these handlers and therefore not swallowed.
Since a catch
handler typed to Promise.OperationalError
is expected to be used very often, it has a neat shorthand:
.error(function (e) {
console.error("unable to read file, because: ", e.message);
});
See API documentation for .error()
Finally, Bluebird also supports predicate-based filters. If you pass a predicate function instead of an error type, the predicate will receive the error as an argument. The return result will be used to determine whether the error handler should be called.
Predicates should allow for very fine grained control over caught errors: pattern matching, error typesets with set operations and many other techniques can be implemented on top of them.
Example of using a predicate-based filter:
var Promise = require("bluebird");
var request = Promise.promisify(require("request"));
function clientError(e) {
return e.code >= 400 && e.code < 500;
}
request("http://www.google.com").then(function(contents){
console.log(contents);
}).catch(clientError, function(e){
//A client error like 400 Bad Request happened
});
Danger: The JavaScript language allows throwing primitive values like strings. Throwing primitives can lead to worse or no stack traces. Primitives are not exceptions. You should consider always throwing Error objects when handling exceptions.
Bluebird attempts to have more elaborate traces. Consider:
Error.stackTraceLimit = 25;
Q.longStackSupport = true;
Q().then(function outer() {
return Q().then(function inner() {
return Q().then(function evenMoreInner() {
a.b.c.d();
}).catch(function catcher(e){
console.error(e.stack);
});
})
});
You will see
ReferenceError: a is not defined
at evenMoreInner (<anonymous>:7:13)
From previous event:
at inner (<anonymous>:6:20)
Compare to:
Error.stackTraceLimit = 25;
Promise.longStackTraces();
Promise.resolve().then(function outer() {
return Promise.resolve().then(function inner() {
return Promise.resolve().then(function evenMoreInner() {
a.b.c.d();
}).catch(function catcher(e){
console.error(e.stack);
});
});
});
ReferenceError: a is not defined
at evenMoreInner (<anonymous>:7:13)
From previous event:
at inner (<anonymous>:6:36)
From previous event:
at outer (<anonymous>:5:32)
From previous event:
at <anonymous>:4:21
at Object.InjectedScript._evaluateOn (<anonymous>:572:39)
at Object.InjectedScript._evaluateAndWrap (<anonymous>:531:52)
at Object.InjectedScript.evaluate (<anonymous>:450:21)
A better and more practical example of the differences can be seen in gorgikosev's debuggability competition.
For development tasks such as running benchmarks or testing, you need to clone the repository and install dev-dependencies.
git clone git@github.com:petkaantonov/bluebird.git
cd bluebird
npm install
To run all tests, run
node tools/test
If you need to run generator tests run the tool/test.js
script with --harmony
argument and node 0.11+:
node-dev --harmony tools/test
You may specify an individual test file to run with the --run
script flag:
node tools/test --run=cancel.js
This enables output from the test and may give a better idea where the test is failing. The parameter to --run
can be any file name located in test/mocha
folder.
To run the test in a browser instead of node, pass the flag --browser
to the test tool
node tools/test --run=cancel.js --browser
This will automatically create a server (default port 9999) and open it in your default browser once the tests have been compiled.
Keep the test tab active because some tests are timing-sensitive and will fail if the browser is throttling timeouts. Chrome will do this for example when the tab is not active.
The value of boolean flags is determined by presence, if you want to pass false value for a boolean flag, use the no-
-prefix e.g. --no-browser
.
--run=String
- Which tests to run (or compile when testing in browser). Default "all"
. Can also be a glob string (relative to ./test/mocha folder).--cover=String
. Create code coverage using the String as istanbul reporter. Coverage is created in the ./coverage folder. No coverage is created by default, default reporter is "html"
(use --cover
to use default reporter).--browser
- Whether to compile tests for browsers. Default false
.--port=Number
- Port where local server is hosted when testing in browser. Default 9999
--execute-browser-tests
- Whether to execute the compiled tests for browser when using --browser
. Default true
.--open-browser
- Whether to open the default browser when executing browser tests. Default true
.--fake-timers
- Whether to use fake timers (setTimeout
etc) when running tests in node. Default true
.--js-hint
- Whether to run JSHint on source files. Default true
.--saucelabs
- Whether to create a tunnel to sauce labs and run tests in their VMs instead of your browser when compiling tests for browser. Default false
.To run a benchmark, run the given command for a benchmark while on the project root. Requires bash (on windows the mingw32 that comes with git works fine too).
Node 0.11.2+ is required to run the generator examples.
Currently the most relevant benchmark is @gorkikosev's benchmark in the article Analysis of generators and other async patterns in node. The benchmark emulates a situation where n amount of users are making a request in parallel to execute some mixed async/sync action. The benchmark has been modified to include a warm-up phase to minimize any JITing during timed sections.
Command: bench doxbee
This made-up scenario runs 15 shimmed queries in parallel.
Command: bench parallel
Custom builds for browsers are supported through a command-line utility.
<tr><td><a href="API.md#any---promise"><code>.any</code></a> and <a href="API.md#promiseanyarraydynamicpromise-values---promise"><code>Promise.any</code></a></td><td><code>any</code></td></tr>
<tr><td><a href="API.md#race---promise"><code>.race</code></a> and <a href="API.md#promiseracearraypromise-promises---promise"><code>Promise.race</code></a></td><td><code>race</code></td></tr>
<tr><td><a href="API.md#callstring-propertyname--dynamic-arg---promise"><code>.call</code></a> and <a href="API.md#getstring-propertyname---promise"><code>.get</code></a></td><td><code>call_get</code></td></tr>
<tr><td><a href="API.md#filterfunction-filterer---promise"><code>.filter</code></a> and <a href="API.md#promisefilterarraydynamicpromise-values-function-filterer---promise"><code>Promise.filter</code></a></td><td><code>filter</code></td></tr>
<tr><td><a href="API.md#mapfunction-mapper---promise"><code>.map</code></a> and <a href="API.md#promisemaparraydynamicpromise-values-function-mapper---promise"><code>Promise.map</code></a></td><td><code>map</code></td></tr>
<tr><td><a href="API.md#reducefunction-reducer--dynamic-initialvalue---promise"><code>.reduce</code></a> and <a href="API.md#promisereducearraydynamicpromise-values-function-reducer--dynamic-initialvalue---promise"><code>Promise.reduce</code></a></td><td><code>reduce</code></td></tr>
<tr><td><a href="API.md#props---promise"><code>.props</code></a> and <a href="API.md#promisepropsobjectpromise-object---promise"><code>Promise.props</code></a></td><td><code>props</code></td></tr>
<tr><td><a href="API.md#settle---promise"><code>.settle</code></a> and <a href="API.md#promisesettlearraydynamicpromise-values---promise"><code>Promise.settle</code></a></td><td><code>settle</code></td></tr>
<tr><td><a href="API.md#someint-count---promise"><code>.some</code></a> and <a href="API.md#promisesomearraydynamicpromise-values-int-count---promise"><code>Promise.some</code></a></td><td><code>some</code></td></tr>
<tr><td><a href="API.md#nodeifyfunction-callback---promise"><code>.nodeify</code></a></td><td><code>nodeify</code></td></tr>
<tr><td><a href="API.md#promisecoroutinegeneratorfunction-generatorfunction---function"><code>Promise.coroutine</code></a> and <a href="API.md#promisespawngeneratorfunction-generatorfunction---promise"><code>Promise.spawn</code></a></td><td><code>generators</code></td></tr>
<tr><td><a href="API.md#progression">Progression</a></td><td><code>progress</code></td></tr>
<tr><td><a href="API.md#promisification">Promisification</a></td><td><code>promisify</code></td></tr>
<tr><td><a href="API.md#cancellation">Cancellation</a></td><td><code>cancel</code></td></tr>
<tr><td><a href="API.md#timers">Timers</a></td><td><code>timers</code></td></tr>
<tr><td><a href="API.md#resource-management">Resource management</a></td><td><code>using</code></td></tr>
</tbody>
Feature(s) | Command line identifier |
---|
Make sure you have cloned the repo somewhere and did npm install
successfully.
After that you can run:
node tools/build --features="core"
The above builds the most minimal build you can get. You can add more features separated by spaces from the above list:
node tools/build --features="core filter map reduce"
The custom build file will be found from /js/browser/bluebird.js
. It will have a comment that lists the disabled and enabled features.
Note that the build leaves the /js/main
etc folders with same features so if you use the folder for node.js at the same time, don't forget to build
a full version afterwards (after having taken a copy of the bluebird.js somewhere):
node tools/build --debug --main --zalgo --browser --minify
The value of boolean flags is determined by presence, if you want to pass false value for a boolean flag, use the no-
-prefix e.g. --no-debug
.
--main
- Whether to build the main build. The main build is placed at js/main
directory. Default false
.--debug
- Whether to build the debug build. The debug build is placed at js/debug
directory. Default false
.--zalgo
- Whether to build the zalgo build. The zalgo build is placed at js/zalgo
directory. Default false
.--browser
- Whether to compile the browser build. The browser build file is placed at js/browser/bluebird.js
Default false
.--minify
- Whether to minify the compiled browser build. The minified browser build file is placed at js/browser/bluebird.min.js
Default true
.--features=String
- See custom buildsBuilding a library that depends on bluebird? You should know about a few features.
If your library needs to do something obtrusive like adding or modifying methods on the Promise
prototype, uses long stack traces or uses a custom unhandled rejection handler then... that's totally ok as long as you don't use require("bluebird")
. Instead you should create a file
that creates an isolated copy. For example, creating a file called bluebird-extended.js
that contains:
//NOTE the function call right after
module.exports = require("bluebird/js/main/promise")();
Your library can then use var Promise = require("bluebird-extended");
and do whatever it wants with it. Then if the application or other library uses their own bluebird promises they will all play well together because of Promises/A+ thenable assimilation magic.
You should also know about .nodeify()
which makes it easy to provide a dual callback/promise API.
You may now use sync build by:
var Promise = require("bluebird/zalgo");
The sync build is provided to see how forced asynchronity affects benchmarks. It should not be used in real code due to the implied hazards.
The normal async build gives Promises/A+ guarantees about asynchronous resolution of promises. Some people think this affects performance or just plain love their code having a possibility of stack overflow errors and non-deterministic behavior.
The sync build skips the async call trampoline completely, e.g code like:
async.invoke( this.fn, this, val );
Appears as this in the sync build:
this.fn(val);
This should pressure the CPU slightly less and thus the sync build should perform better. Indeed it does, but only marginally. The biggest performance boosts are from writing efficient Javascript, not from compromising determinism.
Note that while some benchmarks are waiting for the next event tick, the CPU is actually not in use during that time. So the resulting benchmark result is not completely accurate because on node.js you only care about how much the CPU is taxed. Any time spent on CPU is time the whole process (or server) is paralyzed. And it is not graceful like it would be with threads.
var cache = new Map(); //ES6 Map or DataStructures/Map or whatever...
function getResult(url) {
var resolver = Promise.pending();
if (cache.has(url)) {
resolver.resolve(cache.get(url));
}
else {
http.get(url, function(err, content) {
if (err) resolver.reject(err);
else {
cache.set(url, content);
resolver.resolve(content);
}
});
}
return resolver.promise;
}
//The result of console.log is truly random without async guarantees
function guessWhatItPrints( url ) {
var i = 3;
getResult(url).then(function(){
i = 4;
});
console.log(i);
}
Articles about optimization will be periodically posted in the wiki section, polishing edits are welcome.
A single cohesive guide compiled from the articles will probably be done eventually.
The MIT License (MIT)
Copyright (c) 2015 Petka Antonov
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
FAQs
Full featured Promises/A+ implementation with exceptionally good performance
The npm package bluebird receives a total of 14,084,918 weekly downloads. As such, bluebird popularity was classified as popular.
We found that bluebird demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
pnpm 10 blocks lifecycle scripts by default to improve security, addressing supply chain attack risks but sparking debate over compatibility and workflow changes.
Product
Socket now supports uv.lock files to ensure consistent, secure dependency resolution for Python projects and enhance supply chain security.
Research
Security News
Socket researchers have discovered multiple malicious npm packages targeting Solana private keys, abusing Gmail to exfiltrate the data and drain Solana wallets.