Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Use property paths like 'a.b.c' to get a nested value from an object. Even works when keys have dots in them (no other dot-prop library can do this!).
The get-value npm package is used for safely retrieving nested values from an object or array. It is useful when dealing with deeply nested structures where checking for the existence of each level can be cumbersome. It allows for specifying paths to the desired value using a string or an array of keys/indices.
Get nested values
Retrieve a nested value from an object using a string path.
const get = require('get-value');
const obj = { a: { b: { c: 'd' } } };
console.log(get(obj, 'a.b.c')); // 'd'
Use array paths
Retrieve a nested value using an array of keys as the path.
const get = require('get-value');
const obj = { a: { b: { c: 'd' } } };
console.log(get(obj, ['a', 'b', 'c'])); // 'd'
Specify default values
Provide a default value to return if the full path does not exist.
const get = require('get-value');
const obj = { a: { b: { c: 'd' } } };
console.log(get(obj, 'a.b.e', { default: 'default value' })); // 'default value'
Split string paths
Retrieve values from keys that include a dot or other special characters by specifying a custom separator.
const get = require('get-value');
const obj = { 'a.b': { c: 'd' } };
console.log(get(obj, 'a\.b.c', { separator: '\.' })); // 'd'
lodash.get is a method from the Lodash library that provides similar functionality to get-value. It allows for retrieving nested values with a default option. Lodash is a larger utility library, so lodash.get is part of a broader suite of tools.
dot-prop is another package that allows for getting and setting nested properties. Unlike get-value, dot-prop also supports setting values. It uses a dot notation string as the path.
deep-get-set is a package that not only gets but also sets deep values. It is less popular than get-value and does not have as many configuration options.
Use property paths like 'a.b.c' to get a nested value from an object. Even works when keys have dots in them (no other dot-prop library can do this!).
Please consider following this project's author, Jon Schlinkert, and consider starring the project to show your :heart: and support.
Install with npm:
$ npm install --save get-value
See the unit tests for many more examples.
const get = require('foo');
const obj = { a: { b: { c: { d: 'foo' } } } };
console.log(get(obj)); //=> { a: { b: { c: { d: 'foo' } } } };
console.log(get(obj, 'a')); //=> { b: { c: { d: 'foo' } } }
console.log(get(obj, 'a.b')); //=> { c: { d: 'foo' } }
console.log(get(obj, 'a.b.c')); //=> { d: 'foo' }
console.log(get(obj, 'a.b.c.d')); //=> 'foo'
Unlike other dot-prop libraries, get-value works when keys have dots in them:
console.log(get({ 'a.b': { c: 'd' } }, 'a.b.c'));
//=> 'd'
console.log(get({ 'a.b': { c: { 'd.e': 'f' } } }, 'a.b.c.d.e'));
//=> 'f'
console.log(get({ a: { b: { c: { d: 'foo' } } }, e: [{ f: 'g' }, { f: 'h' }] }, 'e.1.f'));
//=> 'h'
console.log(get({ a: { b: [{ c: 'd' }] } }, 'a.b.0.c'));
//=> 'f'
console.log(get({ a: { b: [{ c: 'd' }, { e: 'f' }] } }, 'a.b.1.e'));
//=> 'f'
function foo() {}
foo.bar = { baz: 'qux' };
console.log(get(foo));
//=> { [Function: foo] bar: { baz: 'qux' } }
console.log(get(foo, 'bar'));
//=> { baz: 'qux' }
console.log(get(foo, 'bar.baz'));
//=> qux
Slighly improve performance by passing an array of strings to use as object path segments (this is also useful when you need to dynamically build up the path segments):
console.log(get({ a: { b: 'c' } }, ['a', 'b']));
//=> 'c'
Type: any
Default: undefined
The default value to return when get-value cannot resolve a value from the given object.
const obj = { foo: { a: { b: { c: { d: 'e' } } } } };
console.log(get(obj, 'foo.a.b.c.d', { default: true })); //=> 'e'
console.log(get(obj, 'foo.bar.baz', { default: true })); //=> true
console.log(get(obj, 'foo.bar.baz', { default: false })); //=> false
console.log(get(obj, 'foo.bar.baz', { default: null })); //=> null
// you can also pass the default value as the last argument
// (this is necessary if the default value is an object)
console.log(get(obj, 'foo.a.b.c.d', true)); //=> 'e'
console.log(get(obj, 'foo.bar.baz', true)); //=> true
console.log(get(obj, 'foo.bar.baz', false)); //=> false
console.log(get(obj, 'foo.bar.baz', null)); //=> null
Type: function
Default: true
If defined, this function is called on each resolved value. Useful if you want to do .hasOwnProperty
or Object.prototype.propertyIsEnumerable
.
const isEnumerable = Object.prototype.propertyIsEnumerable;
const options = {
isValid: (key, obj) => isEnumerable.call(obj, key)
};
const obj = {};
Object.defineProperty(obj, 'foo', { value: 'bar', enumerable: false });
console.log(get(obj, 'foo', options)); //=> undefined
console.log(get({}, 'hasOwnProperty', options)); //=> undefined
console.log(get({}, 'constructor', options)); //=> undefined
// without "isValid" check
console.log(get(obj, 'foo', options)); //=> bar
console.log(get({}, 'hasOwnProperty', options)); //=> [Function: hasOwnProperty]
console.log(get({}, 'constructor', options)); //=> [Function: Object]
Type: function
Default: String.split()
Custom function to use for splitting the string into object path segments.
const obj = { 'a.b': { c: { d: 'e' } } };
// example of using a string to split the object path
const options = { split: path => path.split('/') };
console.log(get(obj, 'a.b/c/d', options)); //=> 'e'
// example of using a regex to split the object path
// (removing escaped dots is unnecessary, this is just an example)
const options = { split: path => path.split(/\\?\./) };
console.log(get(obj, 'a\\.b.c.d', options)); //=> 'e'
Type: string|regex
Default: .
The separator to use for spliting the string (this is probably not needed when options.split
is used).
const obj = { 'a.b': { c: { d: 'e' } } };
console.log(get(obj, 'a.b/c/d', { separator: '/' }));
//=> 'e'
console.log(get(obj, 'a\\.b.c.d', { separator: /\\?\./ }));
//=> 'e'
Type: function
Default: Array.join()
Customize how the object path is created when iterating over path segments.
const obj = { 'a/b': { c: { d: 'e' } } };
const options = {
// when segs === ['a', 'b'] use a "/" to join, otherwise use a "."
join: segs => segs.join(segs[0] === 'a' ? '/' : '.')
};
console.log(get(obj, 'a.b.c.d', options));
//=> 'e'
Type: string
Default: .
The character to use when re-joining the string to check for keys with dots in them (this is probably not needed when options.join
is used). This can be a different value than the separator, since the separator can be a string or regex.
const target = { 'a-b': { c: { d: 'e' } } };
const options = { joinChar: '-' };
console.log(get(target, 'a.b.c.d', options));
//=> 'e'
(benchmarks were run on a MacBook Pro 2.5 GHz Intel Core i7, 16 GB 1600 MHz DDR3).
get-value is more reliable and has more features than dot-prop, without sacrificing performance.
# deep (175 bytes)
dot-prop x 883,166 ops/sec ±0.93% (86 runs sampled)
get-value x 1,448,928 ops/sec ±1.53% (87 runs sampled)
getobject x 213,797 ops/sec ±0.85% (90 runs sampled)
object-path x 184,347 ops/sec ±2.48% (85 runs sampled)
fastest is get-value (by 339% avg)
# root (210 bytes)
dot-prop x 3,905,828 ops/sec ±1.36% (87 runs sampled)
get-value x 16,391,934 ops/sec ±1.43% (83 runs sampled)
getobject x 1,200,021 ops/sec ±1.81% (88 runs sampled)
object-path x 2,788,494 ops/sec ±1.81% (86 runs sampled)
fastest is get-value (by 623% avg)
# shallow (84 bytes)
dot-prop x 2,553,558 ops/sec ±0.89% (89 runs sampled)
get-value x 3,070,159 ops/sec ±0.88% (90 runs sampled)
getobject x 726,670 ops/sec ±0.81% (86 runs sampled)
object-path x 922,351 ops/sec ±2.05% (86 runs sampled)
fastest is get-value (by 219% avg)
Clone this library into a local directory:
$ git clone https://github.com/jonschlinkert/get-value.git
Then install devDependencies and run benchmarks:
$ npm install && node benchmark
options.default
for defining a default value to return when no value is resolved.options.isValid
to allow the user to check the object after each iteration.options.separator
for customizing character to split on.options.split
for customizing how the object path is split.options.join
for customizing how the object path is joined when iterating over path segments.options.joinChar
for customizing the join character.Pull requests and stars are always welcome. For bugs and feature requests, please create an issue.
Running and reviewing unit tests is a great way to get familiarized with a library and its API. You can install dependencies and run tests with the following command:
$ npm install && npm test
(This project's readme.md is generated by verb, please don't edit the readme directly. Any changes to the readme must be made in the .verb.md readme template.)
To generate the readme, run the following command:
$ npm install -g verbose/verb#dev verb-generate-readme && verb
You might also be interested in these projects:
key
exists deeply on the given object. | homepage'a.b.c'
) paths. | homepageCommits | Contributor |
---|---|
81 | jonschlinkert |
2 | ianwalter |
1 | doowb |
Jon Schlinkert
Copyright © 2018, Jon Schlinkert. Released under the MIT License.
This file was generated by verb-generate-readme, v0.6.0, on March 07, 2018.
FAQs
Use property paths like 'a.b.c' to get a nested value from an object. Even works when keys have dots in them (no other dot-prop library can do this!).
The npm package get-value receives a total of 6,914,915 weekly downloads. As such, get-value popularity was classified as popular.
We found that get-value demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 2 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.