Research
Security News
Quasar RAT Disguised as an npm Package for Detecting Vulnerabilities in Ethereum Smart Contracts
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
get-intrinsic
Advanced tools
Get and robustly cache all JS language-level intrinsics at first require time
The get-intrinsic package is a utility that allows you to safely obtain references to ECMAScript language intrinsics without relying on the global namespace, which can be altered by other code. It helps in writing robust code that doesn't get affected by modifications to the global objects or functions.
Getting intrinsic values
This feature allows you to get the original intrinsic value of Array.prototype.push, which can then be used to push elements to arrays without relying on Array.prototype.push being unmodified.
var getIntrinsic = require('get-intrinsic');
var ArrayPrototypePush = getIntrinsic('%Array.prototype.push%');
var anArray = [1, 2, 3];
ArrayPrototypePush(anArray, 4); // anArray becomes [1, 2, 3, 4]
Accessing deep intrinsics
This feature allows you to access deep intrinsic properties like Object.prototype.hasOwnProperty, which can be used to check for properties without relying on the original method being unaltered.
var getIntrinsic = require('get-intrinsic');
var hasOwn = getIntrinsic('%Object.prototype.hasOwnProperty%');
var hasDuck = hasOwn.call({ duck: 'quack' }, 'duck'); // hasDuck is true
Ensuring unmodified constructors
This feature allows you to use the original Array constructor to create new arrays, ensuring that the constructor has not been modified in the global scope.
var getIntrinsic = require('get-intrinsic');
var ArrayConstructor = getIntrinsic('%Array%');
var myArray = new ArrayConstructor(1, 2, 3); // myArray is [1, 2, 3]
The es-abstract package provides methods to access the ECMAScript abstract operations. It is similar to get-intrinsic in that it allows access to fundamental ECMAScript operations, but it focuses more on the abstract operations rather than the intrinsic objects and methods.
The es5-shim package provides shims for legacy JavaScript engines to support ECMAScript 5 features. While it does not directly provide a way to access intrinsics, it ensures that the standard methods and objects behave as expected in older environments, which is somewhat related to the goal of get-intrinsic.
Core-js is a modular standard library for JavaScript, which includes polyfills for ECMAScript features. It provides a stable environment for using modern JavaScript features in older browsers, similar to get-intrinsic's goal of providing stable references to intrinsic objects and methods.
Get and robustly cache all JS language-level intrinsics at first require time.
See the syntax described in the JS spec for reference.
var GetIntrinsic = require('get-intrinsic');
var assert = require('assert');
// static methods
assert.equal(GetIntrinsic('%Math.pow%'), Math.pow);
assert.equal(Math.pow(2, 3), 8);
assert.equal(GetIntrinsic('%Math.pow%')(2, 3), 8);
delete Math.pow;
assert.equal(GetIntrinsic('%Math.pow%')(2, 3), 8);
// instance methods
var arr = [1];
assert.equal(GetIntrinsic('%Array.prototype.push%'), Array.prototype.push);
assert.deepEqual(arr, [1]);
arr.push(2);
assert.deepEqual(arr, [1, 2]);
GetIntrinsic('%Array.prototype.push%').call(arr, 3);
assert.deepEqual(arr, [1, 2, 3]);
delete Array.prototype.push;
GetIntrinsic('%Array.prototype.push%').call(arr, 4);
assert.deepEqual(arr, [1, 2, 3, 4]);
// missing features
delete JSON.parse; // to simulate a real intrinsic that is missing in the environment
assert.throws(() => GetIntrinsic('%JSON.parse%'));
assert.equal(undefined, GetIntrinsic('%JSON.parse%', true));
Simply clone the repo, npm install
, and run npm test
Please email @ljharb or see https://tidelift.com/security if you have a potential security vulnerability to report.
FAQs
Get and robustly cache all JS language-level intrinsics at first require time
The npm package get-intrinsic receives a total of 52,404,501 weekly downloads. As such, get-intrinsic popularity was classified as popular.
We found that get-intrinsic demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
Security News
Research
A supply chain attack on Rspack's npm packages injected cryptomining malware, potentially impacting thousands of developers.
Research
Security News
Socket researchers discovered a malware campaign on npm delivering the Skuld infostealer via typosquatted packages, exposing sensitive data.