Research
Security News
Malicious npm Packages Inject SSH Backdoors via Typosquatted Libraries
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
The js-yaml npm package is a JavaScript library that allows you to parse and dump YAML, a human-friendly data serialization standard. It can be used to convert YAML to JSON and vice versa, making it a useful tool for configuration files, data exchange, and more.
YAML Parsing
This feature allows you to parse a YAML file or string and convert it into a JavaScript object. The code sample demonstrates how to read a YAML file from the filesystem and parse its contents.
{"const yaml = require('js-yaml');\nconst fs = require('fs');\n\ntry {\n const doc = yaml.load(fs.readFileSync('/path/to/file.yml', 'utf8'));\n console.log(doc);\n} catch (e) {\n console.error(e);\n}"}
YAML Dumping
This feature allows you to take a JavaScript object and convert it into a YAML-formatted string. The code sample shows how to create a YAML string from an object and then save it to a file.
{"const yaml = require('js-yaml');\nconst fs = require('fs');\n\nconst obj = { hello: 'world' };\nconst ymlText = yaml.dump(obj);\n\nfs.writeFileSync('/path/to/file.yml', ymlText, 'utf8');\nconsole.log('YAML file saved.');"}
Custom Types
js-yaml allows you to define custom types for specialized use cases. The code sample demonstrates how to create a custom YAML type and use it in parsing a YAML string.
{"const yaml = require('js-yaml');\n\nconst schema = yaml.Schema.create([ new yaml.Type('!myType', {\n kind: 'scalar',\n resolve: data => data === 'valid',\n construct: data => data,\n instanceOf: String\n}) ]);\n\nconst doc = yaml.load('!myType valid', { schema });\nconsole.log(doc); // 'valid'"}
The 'yaml' package is another JavaScript library for parsing and serializing YAML. It offers a similar API to js-yaml but with a focus on being highly compliant with the YAML specification. It may be preferred for applications that require strict adherence to the spec.
Yamljs is a JavaScript library that provides YAML parsing and dumping functionalities. It is similar to js-yaml but has a different API design and may not be as actively maintained as js-yaml.
This package is designed for parsing YAML into an abstract syntax tree (AST). It is useful for developers who need to analyze or manipulate the structure of YAML documents at a lower level compared to js-yaml.
This is an implementation of YAML, a human-friendly data serialization language. Started as PyYAML port, it was completely rewritten from scratch. Now it's very fast, and supports 1.2 spec.
npm install js-yaml
If you want to inspect your YAML files from CLI, install js-yaml globally:
npm install -g js-yaml
usage: js-yaml [-h] [-v] [-c] [-t] file
Positional arguments:
file File with YAML document(s)
Optional arguments:
-h, --help Show this help message and exit.
-v, --version Show program's version number and exit.
-c, --compact Display errors in compact mode
-t, --trace Show stack trace on error
<!-- esprima required only for !!js/function -->
<script src="esprima.js"></script>
<script src="js-yaml.min.js"></script>
<script type="text/javascript">
var doc = jsyaml.load('greeting: hello\nname: world');
</script>
Browser support was done mostly for the online demo. If you find any errors - feel free to send pull requests with fixes. Also note, that IE and other old browsers needs es5-shims to operate.
Notes:
!!js/function
in browser bundle will not work by default. If you really need
it - load esprima
parser first (via amd or directly).!!bin
in browser will return Array
, because browsers do not support
node.js Buffer
and adding Buffer shims is completely useless on practice.Here we cover the most 'useful' methods. If you need advanced details (creating your own tags), see wiki and examples for more info.
const yaml = require('js-yaml');
const fs = require('fs');
// Get document, or throw exception on error
try {
const doc = yaml.safeLoad(fs.readFileSync('/home/ixti/example.yml', 'utf8'));
console.log(doc);
} catch (e) {
console.log(e);
}
Recommended loading way. Parses string
as single YAML document. Returns either a
plain object, a string or undefined
, or throws YAMLException
on error. By default, does
not support regexps, functions and undefined. This method is safe for untrusted data.
options:
filename
(default: null) - string to be used as a file path in
error/warning messages.onWarning
(default: null) - function to call on warning messages.
Loader will call this function with an instance of YAMLException
for each warning.schema
(default: DEFAULT_SAFE_SCHEMA
) - specifies a schema to use.
FAILSAFE_SCHEMA
- only strings, arrays and plain objects:
http://www.yaml.org/spec/1.2/spec.html#id2802346JSON_SCHEMA
- all JSON-supported types:
http://www.yaml.org/spec/1.2/spec.html#id2803231CORE_SCHEMA
- same as JSON_SCHEMA
:
http://www.yaml.org/spec/1.2/spec.html#id2804923DEFAULT_SAFE_SCHEMA
- all supported YAML types, without unsafe ones
(!!js/undefined
, !!js/regexp
and !!js/function
):
http://yaml.org/type/DEFAULT_FULL_SCHEMA
- all supported YAML types.json
(default: false) - compatibility with JSON.parse behaviour. If true, then duplicate keys in a mapping will override values rather than throwing an error.NOTE: This function does not understand multi-document sources, it throws exception on those.
NOTE: JS-YAML does not support schema-specific tag resolution restrictions.
So, the JSON schema is not as strictly defined in the YAML specification.
It allows numbers in any notation, use Null
and NULL
as null
, etc.
The core schema also has no such restrictions. It allows binary notation for integers.
Use with care with untrusted sources. The same as safeLoad()
but uses
DEFAULT_FULL_SCHEMA
by default - adds some JavaScript-specific types:
!!js/function
, !!js/regexp
and !!js/undefined
. For untrusted sources, you
must additionally validate object structure to avoid injections:
const untrusted_code = '"toString": !<tag:yaml.org,2002:js/function> "function (){very_evil_thing();}"';
// I'm just converting that string, what could possibly go wrong?
require('js-yaml').load(untrusted_code) + ''
Same as safeLoad()
, but understands multi-document sources. Applies
iterator
to each document if specified, or returns array of documents.
const yaml = require('js-yaml');
yaml.safeLoadAll(data, function (doc) {
console.log(doc);
});
Same as safeLoadAll()
but uses DEFAULT_FULL_SCHEMA
by default.
Serializes object
as a YAML document. Uses DEFAULT_SAFE_SCHEMA
, so it will
throw an exception if you try to dump regexps or functions. However, you can
disable exceptions by setting the skipInvalid
option to true
.
options:
indent
(default: 2) - indentation width to use (in spaces).noArrayIndent
(default: false) - when true, will not add an indentation level to array elementsskipInvalid
(default: false) - do not throw on invalid types (like function
in the safe schema) and skip pairs and single values with such types.flowLevel
(default: -1) - specifies level of nesting, when to switch from
block to flow style for collections. -1 means block style everwherestyles
- "tag" => "style" map. Each tag may have own set of styles.schema
(default: DEFAULT_SAFE_SCHEMA
) specifies a schema to use.sortKeys
(default: false
) - if true
, sort keys when dumping YAML. If a
function, use the function to sort the keys.lineWidth
(default: 80
) - set max line width.noRefs
(default: false
) - if true
, don't convert duplicate objects into referencesnoCompatMode
(default: false
) - if true
don't try to be compatible with older
yaml versions. Currently: don't quote "yes", "no" and so on, as required for YAML 1.1condenseFlow
(default: false
) - if true
flow sequences will be condensed, omitting the space between a, b
. Eg. '[a,b]'
, and omitting the space between key: value
and quoting the key. Eg. '{"a":b}'
Can be useful when using yaml for pretty URL query params as spaces are %-encoded.The following table show availlable styles (e.g. "canonical",
"binary"...) available for each tag (.e.g. !!null, !!int ...). Yaml
output is shown on the right side after =>
(default setting) or ->
:
!!null
"canonical" -> "~"
"lowercase" => "null"
"uppercase" -> "NULL"
"camelcase" -> "Null"
!!int
"binary" -> "0b1", "0b101010", "0b1110001111010"
"octal" -> "01", "052", "016172"
"decimal" => "1", "42", "7290"
"hexadecimal" -> "0x1", "0x2A", "0x1C7A"
!!bool
"lowercase" => "true", "false"
"uppercase" -> "TRUE", "FALSE"
"camelcase" -> "True", "False"
!!float
"lowercase" => ".nan", '.inf'
"uppercase" -> ".NAN", '.INF'
"camelcase" -> ".NaN", '.Inf'
Example:
safeDump (object, {
'styles': {
'!!null': 'canonical' // dump null as ~
},
'sortKeys': true // sort object keys
});
Same as safeDump()
but without limits (uses DEFAULT_FULL_SCHEMA
by default).
The list of standard YAML tags and corresponding JavaScipt types. See also YAML tag discussion and YAML types repository.
!!null '' # null
!!bool 'yes' # bool
!!int '3...' # number
!!float '3.14...' # number
!!binary '...base64...' # buffer
!!timestamp 'YYYY-...' # date
!!omap [ ... ] # array of key-value pairs
!!pairs [ ... ] # array or array pairs
!!set { ... } # array of objects with given keys and null values
!!str '...' # string
!!seq [ ... ] # array
!!map { ... } # object
JavaScript-specific tags
!!js/regexp /pattern/gim # RegExp
!!js/undefined '' # Undefined
!!js/function 'function () {...}' # Function
Note, that you use arrays or objects as key in JS-YAML. JS does not allow objects
or arrays as keys, and stringifies (by calling toString()
method) them at the
moment of adding them.
---
? [ foo, bar ]
: - baz
? { foo: bar }
: - baz
- baz
{ "foo,bar": ["baz"], "[object Object]": ["baz", "baz"] }
Also, reading of properties on implicit block mapping keys is not supported yet. So, the following YAML document cannot be loaded.
&anchor foo:
foo: bar
*anchor: duplicate key
baz: bat
*anchor: duplicate key
Available as part of the Tidelift Subscription
The maintainers of js-yaml and thousands of other packages are working with Tidelift to deliver commercial support and maintenance for the open source dependencies you use to build your applications. Save time, reduce risk, and improve code health, while paying the maintainers of the exact dependencies you use. Learn more.
[3.14.1] - 2020-12-07
.load()
(in &anchor).FAQs
YAML 1.2 parser and serializer
The npm package js-yaml receives a total of 68,276,175 weekly downloads. As such, js-yaml popularity was classified as popular.
We found that js-yaml demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
Security News
MITRE's 2024 CWE Top 25 highlights critical software vulnerabilities like XSS, SQL Injection, and CSRF, reflecting shifts due to a refined ranking methodology.
Security News
In this segment of the Risky Business podcast, Feross Aboukhadijeh and Patrick Gray discuss the challenges of tracking malware discovered in open source softare.