Security News
Node.js EOL Versions CVE Dubbed the "Worst CVE of the Year" by Security Experts
Critics call the Node.js EOL CVE a misuse of the system, sparking debate over CVE standards and the growing noise in vulnerability databases.
fast-check
Advanced tools
fast-check is a property-based testing library for JavaScript and TypeScript. It allows developers to define properties that should hold true for a wide range of inputs, and then automatically generates test cases to verify those properties. This helps in identifying edge cases and ensuring the robustness of the code.
Property-based Testing
This feature allows you to define properties that should hold true for a wide range of inputs. In this example, the property being tested is the commutativity of addition.
const fc = require('fast-check');
fc.assert(
fc.property(fc.integer(), fc.integer(), (a, b) => {
return a + b === b + a;
})
);
Custom Arbitraries
Custom arbitraries allow you to define complex data structures for your tests. In this example, a custom arbitrary is created that generates objects with a number and a string.
const fc = require('fast-check');
const myArbitrary = fc.tuple(fc.integer(), fc.string()).map(([num, str]) => ({ num, str }));
fc.assert(
fc.property(myArbitrary, ({ num, str }) => {
return typeof num === 'number' && typeof str === 'string';
})
);
Shrinkable Values
Shrinkable values help in minimizing the size of failing test cases to make debugging easier. In this example, if the property fails, fast-check will try to find the smallest array that causes the failure.
const fc = require('fast-check');
fc.assert(
fc.property(fc.array(fc.integer()), (arr) => {
return arr.length < 100;
}),
{ verbose: true }
);
jsverify is another property-based testing library for JavaScript. It offers similar functionality to fast-check, such as defining properties and generating test cases. However, fast-check is generally considered to have a more modern API and better TypeScript support.
testcheck is a property-based testing library inspired by QuickCheck. It provides similar capabilities for generating test cases and defining properties. Compared to fast-check, testcheck is less actively maintained and has fewer features.
Hypothesis is a property-based testing library for Python, but it has inspired several JavaScript libraries, including fast-check. While not a direct competitor, it offers similar concepts and is often used as a reference for property-based testing.
Property based testing framework for JavaScript/TypeScript
Hands-on tutorial and definition of Property Based Testing: :checkered_flag: see tutorial.
Property based testing frameworks check the truthfulness of properties. A property is a statement like: for all (x, y, ...) such as precondition(x, y, ...) holds property(x, y, ...) is true.
Install the module with: npm install fast-check --save-dev
Example of integration in mocha:
const fc = require('fast-check');
// Code under test
const contains = (text, pattern) => text.indexOf(pattern) >= 0;
// Properties
describe('properties', () => {
// string text always contains itself
it('should always contain itself', () => {
fc.assert(fc.property(fc.string(), text => contains(text, text)));
});
// string a + b + c always contains b, whatever the values of a, b and c
it('should always contain its substrings', () => {
fc.assert(fc.property(fc.string(), fc.string(), fc.string(), (a,b,c) => contains(a+b+c, b)));
});
});
In case of failure, the test raises a red flag. Its output should help you to diagnose what went wrong in your implementation. Example with a failing implementation of contain:
1) should always contain its substrings
Error: Property failed after 1 tests (seed: 1527422598337, path: 0:0): ["","",""]
Shrunk 1 time(s)
Got error: Property failed by returning false
Hint: Enable verbose mode in order to have the list of all failing values encountered during the run
Integration with other test frameworks: ava, jasmine, jest, mocha and tape.
More examples: simple examples, fuzzing and against various algorithms.
Useful documentations:
fast-check has initially been designed in an attempt to cope with limitations I encountered while using other property based testing frameworks designed for JavaScript:
fc.oneof
- surprisingly some frameworks don'tmap
method to derive existing arbitraries while keeping shrink - some frameworks ask the user to provide both a->b and b->a mappings in order to keep a shrinkerchain
- able to bind the output of an arbitrary as input of another one while keeping the shrink workingfc.pre(...)
- filtering invalid entries can be done directly inside the check function if neededFor more details, refer to the documentation in the links above.
fast-check has been able to find some unexpected behaviour among famous npm packages. Here are some of the errors detected using fast-check:
Issue detected: enabling !!int: binary
style when dumping negative integers produces invalid content [more]
Code example: yaml.dump({toto: -10}, {styles:{'!!int':'binary'}})
produces toto: 0b-1010
not toto: -0b1010
Issue detected: unicode characters outside of the BMP plan are not handled consistently [more]
Code example:
leftPad('a\u{1f431}b', 4, 'x') //=> 'a\u{1f431}b' -- in: 3 code points, out: 3 code points
leftPad('abc', 4, '\u{1f431}') //=> '\u{1f431}abc' -- in: 3 code points, out: 4 code points
Issue detected: enabling the bracket
setting when exporting arrays containing null values produces an invalid output for the parser [more]
Code example:
m.stringify({bar: ['a', null, 'b']}, {arrayFormat: 'bracket'}) //=> "bar[]=a&bar&bar[]=b"
m.parse('bar[]=a&bar&bar[]=b', {arrayFormat: 'bracket'}) //=> {bar: [null, 'b']}
FAQs
Property based testing framework for JavaScript (like QuickCheck)
The npm package fast-check receives a total of 1,836,438 weekly downloads. As such, fast-check popularity was classified as popular.
We found that fast-check demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Critics call the Node.js EOL CVE a misuse of the system, sparking debate over CVE standards and the growing noise in vulnerability databases.
Security News
cURL and Go security teams are publicly rejecting CVSS as flawed for assessing vulnerabilities and are calling for more accurate, context-aware approaches.
Security News
Bun 1.2 enhances its JavaScript runtime with 90% Node.js compatibility, built-in S3 and Postgres support, HTML Imports, and faster, cloud-first performance.