
Security News
npm v12 Ships With Install Scripts Off by Default, Begins Deprecating 2FA-Bypass Tokens
npm v12 is generally available, turning install scripts off by default and beginning the deprecation of 2FA-bypass publishing tokens.
brace-expansion
Advanced tools
Brace expansion, as known from sh/bash, in JavaScript.
import { expand } from 'brace-expansion'
expand('file-{a,b,c}.jpg')
// => ['file-a.jpg', 'file-b.jpg', 'file-c.jpg']
expand('-v{,,}')
// => ['-v', '-v', '-v']
expand('file{0..2}.jpg')
// => ['file0.jpg', 'file1.jpg', 'file2.jpg']
expand('file-{a..c}.jpg')
// => ['file-a.jpg', 'file-b.jpg', 'file-c.jpg']
expand('file{2..0}.jpg')
// => ['file2.jpg', 'file1.jpg', 'file0.jpg']
expand('file{0..4..2}.jpg')
// => ['file0.jpg', 'file2.jpg', 'file4.jpg']
expand('file-{a..e..2}.jpg')
// => ['file-a.jpg', 'file-c.jpg', 'file-e.jpg']
expand('file{00..10..5}.jpg')
// => ['file00.jpg', 'file05.jpg', 'file10.jpg']
expand('{{A..C},{a..c}}')
// => ['A', 'B', 'C', 'a', 'b', 'c']
expand('ppp{,config,oe{,conf}}')
// => ['ppp', 'pppconfig', 'pppoe', 'pppoeconf']
import { expand } from 'brace-expansion'
Return an array of all possible and valid expansions of str. If
none are found, [str] is returned.
The options object can provide a max value to cap the number
of expansions allowed. This is limited to 100_000 by default,
to prevent DoS attacks.
const expansions = expand('{1..100}'.repeat(5), {
max: 100,
})
// expansions.length will be 100, not 100^5
Valid expansions are:
;/^(.*,)+(.+)?$/
// {a,b,...}
A comma separated list of options, like {a,b} or {a,{b,c}} or {,a,}.
;/^-?\d+\.\.-?\d+(\.\.-?\d+)?$/
// {x..y[..incr]}
A numeric sequence from x to y inclusive, with optional increment.
If x or y start with a leading 0, all the numbers will be padded
to have equal length. Negative numbers and backwards iteration work too.
;/^-?\d+\.\.-?\d+(\.\.-?\d+)?$/
// {x..y[..incr]}
An alphabetic sequence from x to y inclusive, with optional increment.
x and y must be exactly one character, and if given, incr must be a
number.
For compatibility reasons, the string ${ is not eligible for brace expansion.
Minimatch is a minimal matching utility that works with patterns similar to those in shell scripting. It is often used for matching file names and provides functionality similar to brace-expansion but with a broader set of pattern matching features.
Glob is a package that allows pattern matching based on the Unix shell's glob syntax. It includes brace expansion as part of its pattern matching capabilities, but it is primarily used for file system operations, such as finding files that match a given pattern.
Micromatch is a highly optimized and faster alternative to minimatch and glob. It provides advanced pattern matching with a focus on performance. It supports brace expansion and is often used in build tools and file watchers.
FAQs
Brace expansion as known from sh/bash
The npm package brace-expansion receives a total of 457,430,448 weekly downloads. As such, brace-expansion popularity was classified as popular.
We found that brace-expansion demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 2 open source maintainers collaborating on the project.
Did you know?

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Security News
npm v12 is generally available, turning install scripts off by default and beginning the deprecation of 2FA-bypass publishing tokens.

Research
/Security News
Socket tracks the activity as Operation “Muck and Load”: a threat actor uses commit-farming workflows, public dead drops, and protected archives to stage Windows RAT and infostealer malware.

Security News
pnpm 11.10 hardens registry auth to block token redirection, tightens pack-app and deploy, and makes the Rust port (v12) installable.