Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
The get-value npm package is used for safely retrieving nested values from an object or array. It is useful when dealing with deeply nested structures where checking for the existence of each level can be cumbersome. It allows for specifying paths to the desired value using a string or an array of keys/indices.
Get nested values
Retrieve a nested value from an object using a string path.
const get = require('get-value');
const obj = { a: { b: { c: 'd' } } };
console.log(get(obj, 'a.b.c')); // 'd'
Use array paths
Retrieve a nested value using an array of keys as the path.
const get = require('get-value');
const obj = { a: { b: { c: 'd' } } };
console.log(get(obj, ['a', 'b', 'c'])); // 'd'
Specify default values
Provide a default value to return if the full path does not exist.
const get = require('get-value');
const obj = { a: { b: { c: 'd' } } };
console.log(get(obj, 'a.b.e', { default: 'default value' })); // 'default value'
Split string paths
Retrieve values from keys that include a dot or other special characters by specifying a custom separator.
const get = require('get-value');
const obj = { 'a.b': { c: 'd' } };
console.log(get(obj, 'a\.b.c', { separator: '\.' })); // 'd'
lodash.get is a method from the Lodash library that provides similar functionality to get-value. It allows for retrieving nested values with a default option. Lodash is a larger utility library, so lodash.get is part of a broader suite of tools.
dot-prop is another package that allows for getting and setting nested properties. Unlike get-value, dot-prop also supports setting values. It uses a dot notation string as the path.
deep-get-set is a package that not only gets but also sets deep values. It is less popular than get-value and does not have as many configuration options.
Use property paths (
a.b.c
) to get a nested value from an object.
This is 10x faster and more performant than dot-prop, and it passes all of the dot-prop tests.
Of the libs benchmarked, dot-prop was the least performant:
#1: deep
get-value x 3,308,335 ops/sec ±1.32% (94 runs sampled)
dot-prop x 197,631 ops/sec ±1.27% (94 runs sampled)
getobject x 218,635 ops/sec ±1.51% (91 runs sampled)
#2: shallow
get-value x 5,762,976 ops/sec ±1.21% (95 runs sampled)
dot-prop x 695,892 ops/sec ±1.42% (95 runs sampled)
getobject x 724,493 ops/sec ±1.46% (93 runs sampled)
Also, get-value supports escaping dots in paths, which is common when object keys are file paths with extensions, dot-prop does not.
Install with npm
$ npm i get-value --save
Install with bower
$ bower install get-value --save
var get = require('get-value');
var obj = {a: {b : {c: {d: 'foo'}}}, e: [{f: 'g'}]};
get(obj, 'a.b.c');
//=> {d: 'foo'}
get(obj, 'a.b.c.d');
//=> 'foo'
get(obj, 'e[0].f');
//=> 'g'
key as an array
Optionally pass the key as an array (this is useful when you need to dynamically build up the property name)
var obj = {a: {b: 'c'}};
get(obj, ['a', 'b']);
//=> 'c'
key
exists deeply on the given object. | homepage'a.b.c'
) paths. | homepagePull requests and stars are always welcome. For bugs and feature requests, please create an issue.
Install dev dependencies:
$ npm i -d && npm test
Jon Schlinkert
Copyright © 2014-2015 Jon Schlinkert Released under the MIT license.
This file was generated by verb-cli on October 28, 2015.
FAQs
Use property paths like 'a.b.c' to get a nested value from an object. Even works when keys have dots in them (no other dot-prop library can do this!).
The npm package get-value receives a total of 6,914,915 weekly downloads. As such, get-value popularity was classified as popular.
We found that get-value demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 2 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.