Research
Security News
Threat Actor Exposes Playbook for Exploiting npm to Build Blockchain-Powered Botnets
A threat actor's playbook for exploiting the npm ecosystem was exposed on the dark web, detailing how to build a blockchain-powered botnet.
Fast and lightweight, standard-compliant javascript parser written in ECMAScript
A very fast and lightweight, standards-compliant, self-hosted javascript parser with high focus on both performance and stability.
Stage 3
features support. These need to be enabled with the next
option.
Cherow generates AST according to ESTree AST format, and can be used to perform syntactic analysis (parsing) of a JavaScript program, and with ES2015 and later a JavaScript program can be either a script or a module.
The parse
method exposed by Cherow takes an optional options
object which allows you to specify whether to parse in script
mode (the default) or in module
mode.
Here is a quick example to parse a script:
cherow.parseScript('foo = bar');
// or
cherow.parse('x = async() => { for await (x of xs); }');
This will return when serialized in json:
{
body: [{
expression: {
left: {
name: 'x',
type: 'Identifier'
},
operator: '=',
right: {
async: true,
body: {
body: [{
await: true,
body: {
type: 'EmptyStatement',
},
left: {
name: 'x',
type: 'Identifier',
},
right: {
name: 'xs',
type: 'Identifier',
},
type: 'ForOfStatement',
}],
type: 'BlockStatement'
},
expression: false,
generator: false,
id: null,
params: [],
type: 'ArrowFunctionExpression'
},
type: 'AssignmentExpression'
},
type: 'ExpressionStatement'
}],
sourceType: 'script',
type: 'Program'
}
The API also allows you to use Cherow as a stand-alone expression parser and let you parse your code in either script or module goal code.
cherow.parseExpression('foo', { ranges: true });
This will return when serialized in json:
{
end: 3,
name: 'foo',
start: 0,
type: 'Identifier'
}
The second argument allows you to specify various options:
Option | Description |
---|---|
module | Enable module syntax |
ranges | Append start and end offsets to each node |
globalReturn | Allow return in the global scope |
globalAwait | Allow await in the global scope |
webcompat | Enable web compability (AnnexB) |
impliedStrict | Enable strict mode initial enforcement |
next | Enable stage 3 support (ESNext) |
experimental | Enable experimental features |
parenthesizedExpr | Enable non-standard parenthesized expression node |
raw | Attach raw property to each literal node and identifier node |
directives | Enable directive prologue to each literal node |
onComment | Accept either callback or array to collect comment |
onToken | Accept either callback or array and returns each found token |
Cherow aim to support the same experimental features as found in V8 when enabling the 'experimental' flag. However. An exception has been made for the numeric separators proposal. It's currently pending on Stage 2 after being "degraded" from Stage 3. The future of this proposal seems uncertain at the moment and will not be implemented.
Also the proposal-decorators are constantly changing so at current stage this will not be implemented.
It's available on NPM.
If you feel something could've been done better, please do feel free to file a pull request with the changes.
Read our guidelines here
If you caught a bug, don't hesitate to report it in the issue tracker. From the moment I respond to you, it will take maximum 60 minutes before the bug is fixed.
Note that I will try to respond to you within one hour. Sometimes it can take a bit longer. I'm not allways online. And if I find out it will take more then 60 minutes to solve your issue, you will be notified.
I know how irritating it can be if you are writing code and encounter bugs in your dependencies. And even more frustrating if you need to wait weeks or days.
Existing parsers have many issues with them:
Acorn
is the most commonly used tool out there because of its support for recent ES standards, but it's slow and it often is too permissive in what it accepts. It's also not optimized for handheld devices.
Esprima
is a little faster than Acorn, but it's almost never updated, and their test suite has too many invalid tests. It also doesn't support recent ES standards.
Babylon
is tightly coupled to Babel, and is comparatively very slow.
Most of these parsers would not fare any chance against the official Test262 suite, and fail a substantial number of them.
We figured we could try do better. We are used in plural form because Cherow is developed by a main developer and two others "behind the scenes" that contributes with their knowledge whenever it's necessary.
Cross-browser testing provided by:
FAQs
Fast and lightweight, standard-compliant javascript parser written in ECMAScript
The npm package cherow receives a total of 16,905 weekly downloads. As such, cherow popularity was classified as popular.
We found that cherow demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 2 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
A threat actor's playbook for exploiting the npm ecosystem was exposed on the dark web, detailing how to build a blockchain-powered botnet.
Security News
NVD’s backlog surpasses 20,000 CVEs as analysis slows and NIST announces new system updates to address ongoing delays.
Security News
Research
A malicious npm package disguised as a WhatsApp client is exploiting authentication flows with a remote kill switch to exfiltrate data and destroy files.