Research
Security News
Malicious npm Package Targets Solana Developers and Hijacks Funds
A malicious npm package targets Solana developers, rerouting funds in 2% of transactions to a hardcoded address.
cmd-ts
💻 A type-driven command line argument parser, with awesome error reporting 🤤
Not all command line arguments are strings, but for some reason, our CLI parsers force us to use strings everywhere. 🤔 cmd-ts
is a fully-fledged command line argument parser, influenced by Rust's clap
and structopt
:
🤩 Awesome autocomplete, awesome safeness
🎭 Decode your own custom types from strings with logic and context-aware error handling
🌲 Nested subcommands, composable API
import { command, run, string, number, positional, option } from 'cmd-ts';
const cmd = command({
name: 'my-command',
description: 'print something to the screen',
version: '1.0.0',
args: {
number: positional({ type: number, displayName: 'num' }),
message: option({
long: 'greeting',
type: string,
}),
},
handler: args => {
args.message; // string
args.number; // number
console.log(args);
},
});
run(cmd, process.argv.slice(2));
command(arguments)
Creates a CLI command. Returns either a parsing error, or an object where every argument provided gets the value with the correct type, along with a special _
key that contains the "rest" of the positional arguments.
Not all command line arguments are strings. You sometimes want integers, UUIDs, file paths, directories, globs...
Note: this section describes the
ReadStream
type, implemented in./src/example/test-types.ts
Let's say we're about to write a cat
clone. We want to accept a file to read into stdout. A simple example would be something like:
// my-app.ts
import { command, run, positional, string } from 'cmd-ts';
const app = command({
/// name: ...,
args: {
file: positional({ type: string, displayName: 'file' }),
},
handler: ({ file }) => {
// read the file to the screen
fs.createReadStream(file).pipe(stdout);
},
});
// parse arguments
run(app, process.argv.slice(2));
That works okay. But we can do better. In which ways?
What if we had a way to get a Stream
out of the parser, instead of a plain string? This is where cmd-ts
gets its power from, custom type decoding:
// ReadStream.ts
import { Type } from 'cmd-ts';
import fs from 'fs';
// Type<string, Stream> reads as "A type from `string` to `Stream`"
const ReadStream: Type<string, Stream> = {
async from(str) {
if (!fs.existsSync(str)) {
// Here is our error handling!
throw new Error('File not found');
}
return fs.createReadStream(str);
},
};
Now we can use (and share) this type and always get a Stream
, instead of carrying the implementation detail around:
// my-app.ts
import { command, run, positional } from 'cmd-ts';
const app = command({
// name: ...,
args: {
stream: positional({ type: ReadStream, displayName: 'file' }),
},
handler: ({ stream }) => stream.pipe(process.stdout),
});
// parse arguments
run(app, process.argv.slice(2));
Encapsulating runtime behaviour and safe type conversions can help us with awesome user experience:
-
, and when it happens, return process.stdin
like many Unix applicationsAnd the best thing about it — everything is encapsulated to an easily tested type definition, which can be easily shared and reused. Take a look at io-ts-types, for instance, which has types like DateFromISOString, NumberFromString and more, which is something we can totally do.
This project was previously called clio-ts
, because it was based on io-ts
. This is no longer the case, because I want to reduce the dependency count and mental overhead. I might have a function to migrate types between the two.
FAQs
> 💻 A type-driven command line argument parser, with awesome error reporting 🤤
The npm package cmd-ts receives a total of 59,349 weekly downloads. As such, cmd-ts popularity was classified as popular.
We found that cmd-ts demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
A malicious npm package targets Solana developers, rerouting funds in 2% of transactions to a hardcoded address.
Security News
Research
Socket researchers have discovered malicious npm packages targeting crypto developers, stealing credentials and wallet data using spyware delivered through typosquats of popular cryptographic libraries.
Security News
Socket's package search now displays weekly downloads for npm packages, helping developers quickly assess popularity and make more informed decisions.