Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
The fast-glob package is a Node.js library that provides a fast and efficient way to match file paths against specified patterns. It uses the glob syntax, which is a way of filtering files in file systems using wildcard characters.
Synchronous file searching
This feature allows you to perform synchronous file searches, returning an array of paths that match the specified patterns. The example code searches for all files except markdown files.
const fg = require('fast-glob');
const paths = fg.sync(['**/*', '!**/*.md']);
Asynchronous file searching
This feature allows you to perform asynchronous file searches, returning a promise that resolves with an array of paths that match the specified patterns. The example code searches for all files except markdown files and logs the result.
const fg = require('fast-glob');
fg.async(['**/*', '!**/*.md']).then(paths => {
console.log(paths);
});
Stream interface for file searching
This feature provides a stream interface for file searching, emitting each matching path as a 'data' event. The example code searches for all files except markdown files and logs each matching path as it's found.
const fg = require('fast-glob');
const stream = fg.stream(['**/*', '!**/*.md']);
stream.on('data', (entry) => console.log(entry));
The 'glob' package is one of the most well-known globbing libraries for Node.js. It is slower than fast-glob but has been around longer and has a large user base.
The 'node-glob' package is another alternative that provides similar functionality to fast-glob. It is also slower and less feature-rich compared to fast-glob.
The 'micromatch' package is a smaller, more focused library for matching files. It is highly performant and offers fine-grained control over the matching process, but it may not be as fast as fast-glob for large sets of files.
The 'minimatch' package is a minimal matching utility that works with the glob syntax. It is the matcher used internally by the 'glob' package and is less feature-rich compared to fast-glob.
This package provides methods for traversing the file system and returning pathnames that matched a defined set of a specified pattern according to the rules used by the Unix Bash shell with some simplifications, meanwhile results are returned in arbitrary order. Quick, simple, effective.
This package works in two modes, depending on the environment in which it is used.
stats
option is enabled.stats
option is disabled.The modern mode is faster. Learn more about the internal mechanism.
:warning: Always use forward-slashes in glob expressions (patterns and
ignore
option). Use backslashes for escaping characters.
There is more than one form of syntax: basic and advanced. Below is a brief overview of the supported features. Also pay attention to our FAQ.
:book: This package uses
micromatch
as a library for pattern matching.
*
) — matches everything except slashes (path separators), hidden files (names starting with .
).**
) — matches zero or more directories.?
) – matches any single character except slashes (path separators).[seq]
) — matches any character in sequence.:book: A few additional words about the basic matching behavior.
Some examples:
src/**/*.js
— matches all files in the src
directory (any level of nesting) that have the .js
extension.src/*.??
— matches all files in the src
directory (only first level of nesting) that have a two-character extension.file-[01].js
— matches files: file-0.js
, file-1.js
.\\
) — matching special characters ($^*+?()[]
) as literals.[[:digit:]]
).?(pattern-list)
).{}
).[1-5]
).(a|b)
).:book: A few additional words about the advanced matching behavior.
Some examples:
src/**/*.{css,scss}
— matches all files in the src
directory (any level of nesting) that have the .css
or .scss
extension.file-[[:digit:]].js
— matches files: file-0.js
, file-1.js
, …, file-9.js
.file-{1..3}.js
— matches files: file-1.js
, file-2.js
, file-3.js
.file-(1|2)
— matches files: file-1.js
, file-2.js
.npm install fast-glob
fg(patterns, [options])
fg.async(patterns, [options])
fg.glob(patterns, [options])
Returns a Promise
with an array of matching entries.
const fg = require('fast-glob');
const entries = await fg(['.editorconfig', '**/index.js'], { dot: true });
// ['.editorconfig', 'services/index.js']
fg.sync(patterns, [options])
fg.globSync(patterns, [options])
Returns an array of matching entries.
const fg = require('fast-glob');
const entries = fg.sync(['.editorconfig', '**/index.js'], { dot: true });
// ['.editorconfig', 'services/index.js']
fg.stream(patterns, [options])
fg.globStream(patterns, [options])
Returns a ReadableStream
when the data
event will be emitted with matching entry.
const fg = require('fast-glob');
const stream = fg.stream(['.editorconfig', '**/index.js'], { dot: true });
for await (const entry of stream) {
// .editorconfig
// services/index.js
}
true
string | string[]
Any correct pattern(s).
:1234: Pattern syntax
:warning: This package does not respect the order of patterns. First, all the negative patterns are applied, and only then the positive patterns. If you want to get a certain order of records, use sorting or split calls.
false
Options
See Options section.
generateTasks(patterns, [options])
Returns the internal representation of patterns (Task
is a combining patterns by base directory).
fg.generateTasks('*');
[{
base: '.', // Parent directory for all patterns inside this task
dynamic: true, // Dynamic or static patterns are in this task
patterns: ['*'],
positive: ['*'],
negative: []
}]
true
string | string[]
Any correct pattern(s).
false
Options
See Options section.
isDynamicPattern(pattern, [options])
Returns true
if the passed pattern is a dynamic pattern.
fg.isDynamicPattern('*'); // true
fg.isDynamicPattern('abc'); // false
true
string
Any correct pattern.
false
Options
See Options section.
escapePath(path)
Returns the path with escaped special characters depending on the platform.
*?|(){}[]
;!
at the beginning of line;@+!
before the opening parenthesis;\\
before non-special characters;(){}[]
!
at the beginning of line;@+!
before the opening parenthesis;*?|
cannot be used in the path (windows_naming_conventions), so they will not be escaped;fg.escapePath('!abc');
// \\!abc
fg.escapePath('[OpenSource] mrmlnc – fast-glob (Deluxe Edition) 2014') + '/*.flac'
// \\[OpenSource\\] mrmlnc – fast-glob \\(Deluxe Edition\\) 2014/*.flac
fg.posix.escapePath('C:\\Program Files (x86)\\**\\*');
// C:\\\\Program Files \\(x86\\)\\*\\*\\*
fg.win32.escapePath('C:\\Program Files (x86)\\**\\*');
// Windows: C:\\Program Files \\(x86\\)\\**\\*
convertPathToPattern(path)
Converts a path to a pattern depending on the platform, including special character escaping.
fg.posix.escapePath
method.fg.win32.escapePath
method, additionally converting backslashes to forward slashes in cases where they are not escape characters (!()+@{}[]
).fg.convertPathToPattern('[OpenSource] mrmlnc – fast-glob (Deluxe Edition) 2014') + '/*.flac';
// \\[OpenSource\\] mrmlnc – fast-glob \\(Deluxe Edition\\) 2014/*.flac
fg.convertPathToPattern('C:/Program Files (x86)/**/*');
// Posix: C:/Program Files \\(x86\\)/\\*\\*/\\*
// Windows: C:/Program Files \\(x86\\)/**/*
fg.convertPathToPattern('C:\\Program Files (x86)\\**\\*');
// Posix: C:\\\\Program Files \\(x86\\)\\*\\*\\*
// Windows: C:/Program Files \\(x86\\)/**/*
fg.posix.convertPathToPattern('\\\\?\\c:\\Program Files (x86)') + '/**/*';
// Posix: \\\\\\?\\\\c:\\\\Program Files \\(x86\\)/**/* (broken pattern)
fg.win32.convertPathToPattern('\\\\?\\c:\\Program Files (x86)') + '/**/*';
// Windows: //?/c:/Program Files \\(x86\\)/**/*
number
os.cpus().length
Specifies the maximum number of concurrent requests from a reader to read directories.
:book: The higher the number, the higher the performance and load on the file system. If you want to read in quiet mode, set the value to a comfortable number or
1
.
In Node, there are two types of threads: Event Loop (code) and a Thread Pool (fs, dns, …). The thread pool size controlled by the UV_THREADPOOL_SIZE
environment variable. Its default size is 4 (documentation). The pool is one for all tasks within a single Node process.
Any code can make 4 real concurrent accesses to the file system. The rest of the FS requests will wait in the queue.
:book: Each new instance of FG in the same Node process will use the same Thread pool.
But this package also has the concurrency
option. This option allows you to control the number of concurrent accesses to the FS at the package level. By default, this package has a value equal to the number of cores available for the current Node process. This allows you to set a value smaller than the pool size (concurrency: 1
) or, conversely, to prepare tasks for the pool queue more quickly (concurrency: Number.POSITIVE_INFINITY
).
So, in fact, this package can only make 4 concurrent requests to the FS. You can increase this value by using an environment variable (UV_THREADPOOL_SIZE
), but in practice this does not give a multiple advantage.
string
process.cwd()
The current working directory in which to search.
number
Infinity
Specifies the maximum depth of a read directory relative to the start directory.
For example, you have the following tree:
dir/
└── one/ // 1
└── two/ // 2
└── file.js // 3
// With base directory
fg.sync('dir/**', { onlyFiles: false, deep: 1 }); // ['dir/one']
fg.sync('dir/**', { onlyFiles: false, deep: 2 }); // ['dir/one', 'dir/one/two']
// With cwd option
fg.sync('**', { onlyFiles: false, cwd: 'dir', deep: 1 }); // ['one']
fg.sync('**', { onlyFiles: false, cwd: 'dir', deep: 2 }); // ['one', 'one/two']
:book: If you specify a pattern with some base directory, this directory will not participate in the calculation of the depth of the found directories. Think of it as a
cwd
option.
boolean
true
Indicates whether to traverse descendants of symbolic link directories when expanding **
patterns.
:book: Note that this option does not affect the base directory of the pattern. For example, if
./a
is a symlink to directory./b
and you specified['./a**', './b/**']
patterns, then directory./a
will still be read.
:book: If the
stats
option is specified, the information about the symbolic link (fs.lstat
) will be replaced with information about the entry (fs.stat
) behind it.
FileSystemAdapter
fs.*
Custom implementation of methods for working with the file system.
export interface FileSystemAdapter {
lstat?: typeof fs.lstat;
stat?: typeof fs.stat;
lstatSync?: typeof fs.lstatSync;
statSync?: typeof fs.statSync;
readdir?: typeof fs.readdir;
readdirSync?: typeof fs.readdirSync;
}
string[]
[]
An array of glob patterns to exclude matches. This is an alternative way to use negative patterns.
dir/
├── package-lock.json
└── package.json
fg.sync(['*.json', '!package-lock.json']); // ['package.json']
fg.sync('*.json', { ignore: ['package-lock.json'] }); // ['package.json']
boolean
false
By default this package suppress only ENOENT
errors. Set to true
to suppress any error.
:book: Can be useful when the directory has entries with a special level of access.
boolean
false
Throw an error when symbolic link is broken if true
or safely return lstat
call if false
.
:book: This option has no effect on errors when reading the symbolic link directory.
boolean
false
Return the absolute path for entries.
fg.sync('*.js', { absolute: false }); // ['index.js']
fg.sync('*.js', { absolute: true }); // ['/home/user/index.js']
:book: This option is required if you want to use negative patterns with absolute path, for example,
!${__dirname}/*.js
.
boolean
false
Mark the directory path with the final slash.
fg.sync('*', { onlyFiles: false, markDirectories: false }); // ['index.js', 'controllers']
fg.sync('*', { onlyFiles: false, markDirectories: true }); // ['index.js', 'controllers/']
boolean
false
Returns objects (instead of strings) describing entries.
fg.sync('*', { objectMode: false }); // ['src/index.js']
fg.sync('*', { objectMode: true }); // [{ name: 'index.js', path: 'src/index.js', dirent: <fs.Dirent> }]
The object has the following fields:
string
) — the last part of the path (basename)string
) — full path relative to the pattern base directoryfs.Dirent
) — instance of fs.Dirent
:book: An object is an internal representation of entry, so getting it does not affect performance.
boolean
false
Return only directories.
fg.sync('*', { onlyDirectories: false }); // ['index.js', 'src']
fg.sync('*', { onlyDirectories: true }); // ['src']
:book: If
true
, theonlyFiles
option is automaticallyfalse
.
boolean
true
Return only files.
fg.sync('*', { onlyFiles: false }); // ['index.js', 'src']
fg.sync('*', { onlyFiles: true }); // ['index.js']
boolean
false
Enables an object mode with an additional field:
fs.Stats
) — instance of fs.Stats
fg.sync('*', { stats: false }); // ['src/index.js']
fg.sync('*', { stats: true }); // [{ name: 'index.js', path: 'src/index.js', dirent: <fs.Dirent>, stats: <fs.Stats> }]
:book: Returns
fs.stat
instead offs.lstat
for symbolic links when thefollowSymbolicLinks
option is specified.:warning: Unlike object mode this mode requires additional calls to the file system. On average, this mode is slower at least twice. See old and modern mode for more details.
boolean
true
Ensures that the returned entries are unique.
fg.sync(['*.json', 'package.json'], { unique: false }); // ['package.json', 'package.json']
fg.sync(['*.json', 'package.json'], { unique: true }); // ['package.json']
If true
and similar entries are found, the result is the first found.
boolean
true
Enables Bash-like brace expansion.
:1234: Syntax description or more detailed description.
dir/
├── abd
├── acd
└── a{b,c}d
fg.sync('a{b,c}d', { braceExpansion: false }); // ['a{b,c}d']
fg.sync('a{b,c}d', { braceExpansion: true }); // ['abd', 'acd']
boolean
true
Enables a case-sensitive mode for matching files.
dir/
├── file.txt
└── File.txt
fg.sync('file.txt', { caseSensitiveMatch: false }); // ['file.txt', 'File.txt']
fg.sync('file.txt', { caseSensitiveMatch: true }); // ['file.txt']
boolean
false
Allow patterns to match entries that begin with a period (.
).
:book: Note that an explicit dot in a portion of the pattern will always match dot files.
dir/
├── .editorconfig
└── package.json
fg.sync('*', { dot: false }); // ['package.json']
fg.sync('*', { dot: true }); // ['.editorconfig', 'package.json']
boolean
true
Enables Bash-like extglob
functionality.
:1234: Syntax description.
dir/
├── README.md
└── package.json
fg.sync('*.+(json|md)', { extglob: false }); // []
fg.sync('*.+(json|md)', { extglob: true }); // ['README.md', 'package.json']
boolean
true
Enables recursively repeats a pattern containing **
. If false
, **
behaves exactly like *
.
dir/
└── a
└── b
fg.sync('**', { onlyFiles: false, globstar: false }); // ['a']
fg.sync('**', { onlyFiles: false, globstar: true }); // ['a', 'a/b']
boolean
false
If set to true
, then patterns without slashes will be matched against the basename of the path if it contains slashes.
dir/
└── one/
└── file.md
fg.sync('*.md', { baseNameMatch: false }); // []
fg.sync('*.md', { baseNameMatch: true }); // ['one/file.md']
All patterns can be divided into two types:
file.js
pattern is a static pattern because we can just verify that it exists on the file system.*
pattern is a dynamic pattern because we cannot use this pattern directly.A pattern is considered dynamic if it contains the following characters (…
— any characters or their absence) or options:
caseSensitiveMatch
option is disabled\\
(the escape character)*
, ?
, !
(at the beginning of line)[…]
(…|…)
@(…)
, !(…)
, *(…)
, ?(…)
, +(…)
(respects the extglob
option){…,…}
, {…..…}
(respects the braceExpansion
option)Always use forward-slashes in glob expressions (patterns and ignore
option). Use backslashes for escaping characters. With the cwd
option use a convenient format.
Bad
[
'directory\\*',
path.join(process.cwd(), '**')
]
Good
[
'directory/*',
fg.convertPathToPattern(process.cwd()) + '/**'
]
:book: Use the
.convertPathToPattern
package to convert Windows-style path to a Unix-style path.
Read more about matching with backslashes.
dir/
└── (special-*file).txt
fg.sync(['(special-*file).txt']) // []
Refers to Bash. You need to escape special characters:
fg.sync(['\\(special-*file\\).txt']) // ['(special-*file).txt']
Read more about matching special characters as literals. Or use the .escapePath
.
You can use a negative pattern like this: !**/node_modules
or !**/node_modules/**
. Also you can use ignore
option. Just look at the example below.
first/
├── file.md
└── second/
└── file.txt
If you don't want to read the second
directory, you must write the following pattern: !**/second
or !**/second/**
.
fg.sync(['**/*.md', '!**/second']); // ['first/file.md']
fg.sync(['**/*.md'], { ignore: ['**/second/**'] }); // ['first/file.md']
:warning: When you write
!**/second/**/*
it means that the directory will be read, but all the entries will not be included in the results.
You have to understand that if you write the pattern to exclude directories, then the directory will not be read under any circumstances.
You cannot use Uniform Naming Convention (UNC) paths as patterns (due to syntax) directly, but you can use them as cwd
directory or use the fg.convertPathToPattern
method.
// cwd
fg.sync('*', { cwd: '\\\\?\\C:\\Python27' /* or //?/C:/Python27 */ });
fg.sync('Python27/*', { cwd: '\\\\?\\C:\\' /* or //?/C:/ */ });
// .convertPathToPattern
fg.sync(fg.convertPathToPattern('\\\\?\\c:\\Python27') + '/*');
node-glob
?node-glob | fast-glob |
---|---|
cwd | cwd |
root | – |
dot | dot |
nomount | – |
mark | markDirectories |
nosort | – |
nounique | unique |
nobrace | braceExpansion |
noglobstar | globstar |
noext | extglob |
nocase | caseSensitiveMatch |
matchBase | baseNameMatch |
nodir | onlyFiles |
ignore | ignore |
follow | followSymbolicLinks |
realpath | – |
absolute | absolute |
You can see results here for every commit into the main
branch.
See the Releases section of our GitHub project for changelog for each release version.
This software is released under the terms of the MIT license.
FAQs
It's a very fast and efficient glob library for Node.js
The npm package fast-glob receives a total of 42,995,290 weekly downloads. As such, fast-glob popularity was classified as popular.
We found that fast-glob demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.