Research
Security News
Threat Actor Exposes Playbook for Exploiting npm to Build Blockchain-Powered Botnets
A threat actor's playbook for exploiting the npm ecosystem was exposed on the dark web, detailing how to build a blockchain-powered botnet.
graceful-fs
Advanced tools
The graceful-fs npm package is a drop-in replacement for the fs module in Node.js that offers improved error handling and queuing of file system operations to avoid EMFILE errors when too many files are opened at once. It provides a wrapper around the native fs module, smoothing out various edge cases and providing a more robust interface for file system operations.
Queueing file system operations
This feature queues file system operations to avoid EMFILE errors, which occur when too many files are opened simultaneously. The code sample demonstrates reading a file using graceful-fs, which will queue the operation if the file descriptor limit is reached.
const gracefulFs = require('graceful-fs');
gracefulFs.readFile('/path/to/file', 'utf8', (err, data) => {
if (err) throw err;
console.log(data);
});
Retrying on failure
graceful-fs will automatically retry file system operations that fail with transient errors, such as EAGAIN or EINTR. The code sample shows writing data to a file with automatic retry on failure.
const gracefulFs = require('graceful-fs');
gracefulFs.writeFile('/path/to/file', 'data', (err) => {
if (err) throw err;
console.log('File written successfully');
});
Polymorphic approach to fs methods
graceful-fs can be used as a drop-in replacement for the native fs module, providing a polymorphic approach to file system methods. The code sample demonstrates replacing the native fs.readFile with gracefulFs.readFile.
const gracefulFs = require('graceful-fs');
const fs = require('fs');
// graceful-fs can be used as a drop-in replacement
fs.readFile = gracefulFs.readFile;
fs.readFile('/path/to/file', 'utf8', (err, data) => {
if (err) throw err;
console.log(data);
});
fs-extra is a package that builds upon the native fs module, providing additional methods and ensuring consistency across different platforms. It includes all the methods from graceful-fs and adds more utility functions, such as copy, move, and remove, which are not found in graceful-fs.
node-fs-extra is a fork of fs-extra that aims to offer the same extended functionality. It is similar to graceful-fs in that it provides additional file system methods, but it also includes extra features and utilities for working with the file system.
write-file-atomic is a package that focuses on writing files atomically to prevent corruption. While graceful-fs improves general file system reliability, write-file-atomic specifically ensures that file writes are completed fully before replacing the original file, which is a narrower scope of functionality.
graceful-fs functions as a drop-in replacement for the fs module, making various improvements.
The improvements are meant to normalize behavior across different platforms and environments, and to make filesystem access more resilient to errors.
open
and readdir
calls, and retries them once
something closes if there is an EMFILE error from too many file
descriptors.lchmod
for Node versions prior to 0.6.2.fs.lutimes
if possible. Otherwise it becomes a noop.EINVAL
and EPERM
errors in chown
, fchown
or
lchown
if the user isn't root.lchmod
and lchown
become noops, if not available.read
results in EAGAIN error.On Windows, it retries renaming a file for up to one second if EACCESS
or EPERM
error occurs, likely because antivirus software has locked
the directory.
// use just like fs
var fs = require('graceful-fs')
// now go and do stuff with it...
fs.readFile('some-file-or-whatever', (err, data) => {
// Do stuff here.
})
This module cannot intercept or handle EMFILE
or ENFILE
errors from sync
methods. If you use sync methods which open file descriptors then you are
responsible for dealing with any errors.
This is a known limitation, not a bug.
If you want to patch the global fs module (or any other fs-like module) you can do this:
// Make sure to read the caveat below.
var realFs = require('fs')
var gracefulFs = require('graceful-fs')
gracefulFs.gracefulify(realFs)
This should only ever be done at the top-level application layer, in order to delay on EMFILE errors from any fs-using dependencies. You should not do this in a library, because it can cause unexpected delays in other parts of the program.
This module is fairly stable at this point, and used by a lot of things. That being said, because it implements a subtle behavior change in a core part of the node API, even modest changes can be extremely breaking, and the versioning is thus biased towards bumping the major when in doubt.
The main change between major versions has been switching between
providing a fully-patched fs
module vs monkey-patching the node core
builtin, and the approach by which a non-monkey-patched fs
was
created.
The goal is to trade EMFILE
errors for slower fs operations. So, if
you try to open a zillion files, rather than crashing, open
operations will be queued up and wait for something else to close
.
There are advantages to each approach. Monkey-patching the fs means
that no EMFILE
errors can possibly occur anywhere in your
application, because everything is using the same core fs
module,
which is patched. However, it can also obviously cause undesirable
side-effects, especially if the module is loaded multiple times.
Implementing a separate-but-identical patched fs
module is more
surgical (and doesn't run the risk of patching multiple times), but
also imposes the challenge of keeping in sync with the core module.
The current approach loads the fs
module, and then creates a
lookalike object that has all the same methods, except a few that are
patched. It is safe to use in all versions of Node from 0.8 through
7.0.
FAQs
A drop-in replacement for fs, making various improvements.
The npm package graceful-fs receives a total of 10,176,705 weekly downloads. As such, graceful-fs popularity was classified as popular.
We found that graceful-fs demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
A threat actor's playbook for exploiting the npm ecosystem was exposed on the dark web, detailing how to build a blockchain-powered botnet.
Security News
NVD’s backlog surpasses 20,000 CVEs as analysis slows and NIST announces new system updates to address ongoing delays.
Security News
Research
A malicious npm package disguised as a WhatsApp client is exploiting authentication flows with a remote kill switch to exfiltrate data and destroy files.