Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Take a nested Javascript object and flatten it, or unflatten an object with delimited keys
The flat npm package allows for flattening and unflattening complex nested objects and arrays in JavaScript. It can be used to convert deeply nested objects into a single level object with dot-separated keys, or to expand a flat object with dot-separated keys back into a nested structure. This can be particularly useful when dealing with data that needs to be stored in a format that doesn't support nested structures, such as certain databases, or when you need to simplify the structure of data for processing or transmission.
Flatten
Converts a nested object into a flat object with dot-separated keys. In the code sample, the 'flatten' method is used to transform the 'original' object into a single-level 'flattened' object with keys like 'b.c' and 'b.d.e'.
{"original": {"a": 1, "b": {"c": 2, "d": {"e": 3}}}, "flattened": flat.flatten({"a": 1, "b": {"c": 2, "d": {"e": 3}}})}
Unflatten
Converts a flat object with dot-separated keys back into a nested object. In the code sample, the 'unflatten' method is used to transform the 'flattened' object back into its original nested structure.
{"flattened": {"a": 1, "b.c": 2, "b.d.e": 3}, "unflattened": flat.unflatten({"a": 1, "b.c": 2, "b.d.e": 3})}
Lodash is a utility library that offers a wide range of functions for manipulating objects and collections. It includes methods like '_.get' and '_.set' which can be used to manipulate nested paths in objects, similar to how 'flat' can flatten and unflatten objects. However, lodash is a much larger library with a broader scope of functionality beyond just flattening and unflattening.
Deepdash is an extension for lodash that adds deep operations on objects and arrays. It provides methods for deep manipulation of nested structures, which can be seen as an alternative to 'flat' for certain use cases. Deepdash focuses on deep operations, while 'flat' specifically focuses on flattening and unflattening objects.
Take a nested Javascript object and flatten it, or unflatten an object with delimited keys.
$ npm install flat
Flattens the object - it'll return an object one level deep, regardless of how nested the original object was:
import { flatten } from 'flat'
flatten({
key1: {
keyA: 'valueI'
},
key2: {
keyB: 'valueII'
},
key3: { a: { b: { c: 2 } } }
})
// {
// 'key1.keyA': 'valueI',
// 'key2.keyB': 'valueII',
// 'key3.a.b.c': 2
// }
Flattening is reversible too, you can call unflatten
on an object:
import { unflatten } from 'flat'
unflatten({
'three.levels.deep': 42,
'three.levels': {
nested: true
}
})
// {
// three: {
// levels: {
// deep: 42,
// nested: true
// }
// }
// }
Use a custom delimiter for (un)flattening your objects, instead of .
.
When enabled, both flat
and unflatten
will preserve arrays and their
contents. This is disabled by default.
import { flatten } from 'flat'
flatten({
this: [
{ contains: 'arrays' },
{ preserving: {
them: 'for you'
}}
]
}, {
safe: true
})
// {
// 'this': [
// { contains: 'arrays' },
// { preserving: {
// them: 'for you'
// }}
// ]
// }
When enabled, arrays will not be created automatically when calling unflatten, like so:
unflatten({
'hello.you.0': 'ipsum',
'hello.you.1': 'lorem',
'hello.other.world': 'foo'
}, { object: true })
// hello: {
// you: {
// 0: 'ipsum',
// 1: 'lorem',
// },
// other: { world: 'foo' }
// }
When enabled, existing keys in the unflattened object may be overwritten if they cannot hold a newly encountered nested value:
unflatten({
'TRAVIS': 'true',
'TRAVIS.DIR': '/home/travis/build/kvz/environmental'
}, { overwrite: true })
// TRAVIS: {
// DIR: '/home/travis/build/kvz/environmental'
// }
Without overwrite
set to true
, the TRAVIS
key would already have been set to a string, thus could not accept the nested DIR
element.
This only makes sense on ordered arrays, and since we're overwriting data, should be used with care.
Maximum number of nested objects to flatten.
import { flatten } from 'flat'
flatten({
key1: {
keyA: 'valueI'
},
key2: {
keyB: 'valueII'
},
key3: { a: { b: { c: 2 } } }
}, { maxDepth: 2 })
// {
// 'key1.keyA': 'valueI',
// 'key2.keyB': 'valueII',
// 'key3.a': { b: { c: 2 } }
// }
Transform each part of a flat key before and after flattening.
import { flatten, unflatten } from 'flat'
flatten({
key1: {
keyA: 'valueI'
},
key2: {
keyB: 'valueII'
},
key3: { a: { b: { c: 2 } } }
}, {
transformKey: function(key){
return '__' + key + '__';
}
})
// {
// '__key1__.__keyA__': 'valueI',
// '__key2__.__keyB__': 'valueII',
// '__key3__.__a__.__b__.__c__': 2
// }
unflatten({
'__key1__.__keyA__': 'valueI',
'__key2__.__keyB__': 'valueII',
'__key3__.__a__.__b__.__c__': 2
}, {
transformKey: function(key){
return key.substring(2, key.length - 2)
}
})
// {
// key1: {
// keyA: 'valueI'
// },
// key2: {
// keyB: 'valueII'
// },
// key3: { a: { b: { c: 2 } } }
// }
flat
is also available as a command line tool. You can run it with npx
:
npx flat foo.json
Or install the flat
command globally:
npm i -g flat && flat foo.json
Accepts a filename as an argument:
flat foo.json
Also accepts JSON on stdin:
cat foo.json | flat
FAQs
Take a nested Javascript object and flatten it, or unflatten an object with delimited keys
The npm package flat receives a total of 12,687,632 weekly downloads. As such, flat popularity was classified as popular.
We found that flat demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 3 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.