Security News
High-Severity RCE Vulnerability Disclosed in next-mdx-remote
HashiCorp disclosed a high-severity RCE in next-mdx-remote affecting versions 4.3.0 to 5.x when compiling untrusted MDX on the server.
By Sarah Gooding - Feb 12, 2026
Latest Threat Research:Malicious dYdX Packages Published to npm and PyPI After Maintainer Compromise.Details →
expand 
Recursively resolve templates in an object, string or array.
Heads up!
v0.2.0 API changes
The top-level export now returns a function that takes an options object, which then returns the function to use.
var expand = require('expand');
var resolve = expand({regex: /:(\w+)/});
resolve(':a/:b', {a: 'foo', b: 'bar'});
//=> 'foo/bar'
Install
Install with npm
$ npm i expand --save
Usage
var expand = require('expand')();
expand({a: '<%= b %>', b: 'c'});
//=> {a: 'c', b: 'c'}
expand({a: '<%= b.c.d %>', b: {c: {d: 'eee'}}});
//=> {a: 'eee', b: {c: {d: 'eee' }}}
Params
expand(valueToExpand, dataToUse, options);
value{String|Array|Object}: The value with templates to resolve.data{Object}: Pass the data to use for resolving templates. If the first argument is an object, this is optional.options{Object}: Pass the regex to use for matching templates.returns{any}: Returns a string, object or array based on what was passed.
Example
If an object is passed, only the first argument is strictly necessary.
expand({a: '<%= b %>', b: '<%= c %>', c: 'It worked!'});
//=> {a: 'It worked!', b: 'It worked!', c: 'It worked!'}
More examples
process templates in objects
expand({a: {c: '<%= d %>'}, d: {f: 'g'}});
//=> {a: {c: {f: 'g'}}, d: {f: 'g'}};
process a template in an array
expand(['<%= a %>'], {a: 'b'});
//=> ['b']
process templates in a string
expand('<%= a %>', {a: 'b'});
//=> 'b'
process multiple templates in an array
expand(['<%= a %>', '<%= b %>'], {a: 'b', b: 'c'});
//=> ['b', 'c']
expand nested templates in an object
var data = {a: {b: {c: 'd'}}};
expand({foo: '<%= a.b.c %>'}, data);
//=> {foo: 'd'}
recursively expand templates
var data = {a: '<%= b %>', b: '<%= c %>', c: 'the end!'};
expand('<%= a %>', data);
//=> 'the end!'
process multiple templates in the same string
var str = '<%= a %>/<%= b %>';
expand(str, {a: 'foo', b: 'bar'});
//=> 'foo/bar'
process multiple templates in an object value
var data = {
a: {
c: '<%= d %>/<%= e %>'
},
d: 'ddd',
e: 'eee'
};
expand(data).a.c;
//=> 'ddd/eee'
recursively process templates in object values
var data = {
a: '<%= b %>/<%= c %>',
b: 'xxx',
c: '<%= y %>',
y: 'zzz'
};
expand('<%= a %>', data);
//=> 'xxx/zzz'
call helpers in templates
var ctx = {
foo: 'bar',
c: {
d: {
e: function (str) {
return str.toUpperCase();
}
}
}
};
expand('abc <%= c.d.e(foo) %> xyz', ctx);
//=> 'abc BAR xyz'
use custom regex
Options may be passed as the third argument. Currently options.regex is the only option.
var data = {a: 'bbb', c: 'ddd', e: 'fff'};
expand({foo: ':c/:e'}, data, {regex: /:([(\w ),]+)/});
//=> {foo: 'ddd/fff'}
call functions with custom regex.
var data = {
a: {c: ':d/:e/:upper(f)'},
d: 'ddd',
e: 'eee',
f: 'foo',
upper: function (str) {
return str.toUpperCase();
}
};
var result = expand(data, data, {regex: /:([(\w ),]+)/});
console.log(result.a.c);
//=> 'ddd/eee/FOO'
Related projects
- engine: Template engine based on Lo-Dash template, but adds features like the ability to register helpers… more | homepage
- expand-object: Expand a string into a JavaScript object using a simple notation. Use the CLI or… more | homepage
- get-value: Use property paths (
a.b.c) to get a nested value from an object. | homepage - glob-object: Filter an object using glob patterns and dot notation. | homepage
- set-value: Create nested values and any intermediaries using dot notation (
'a.b.c') paths. | homepage
Alternatives
Here are some great libs by other authors. My needs for expand differed enough to create a new library, but these are definitely worth a look:
Running tests
Install dev dependencies:
$ npm i -d && npm test
Contributing
Pull requests and stars are always welcome. For bugs and feature requests, please create an issue.
Author
Jon Schlinkert
License
Copyright © 2015 Jon Schlinkert Released under the MIT license.
This file was generated by verb-cli on September 17, 2015.
FAQs
Recursively resolve templates in an object, string or array.
The npm package expand receives a total of 3,459 weekly downloads. As such, expand popularity was classified as popular.
We found that expand demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 2 open source maintainers collaborating on the project.
Package last updated on 17 Sep 2015
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Related posts
Security News
OpenClaw Skill Marketplace Emerges as Active Malware Vector
Security researchers report widespread abuse of OpenClaw skills to deliver info-stealing malware, exposing a new supply chain risk as agent ecosystems scale.
By Sarah Gooding - Feb 09, 2026
Security News
The Next Open Source Security Race: Triage at Machine Speed
Claude Opus 4.6 has uncovered more than 500 open source vulnerabilities, raising new considerations for disclosure, triage, and patching at scale.
By Sarah Gooding - Feb 06, 2026