Research
Security News
Kill Switch Hidden in npm Packages Typosquatting Chalk and Chokidar
Socket researchers found several malicious npm packages typosquatting Chalk and Chokidar, targeting Node.js developers with kill switches and data theft.
The 'kew' npm package is a lightweight promise library for Node.js that provides a simple and efficient way to handle asynchronous operations. It is designed to be fast and easy to use, offering a minimalistic API for creating and managing promises.
Creating Promises
This feature allows you to create promises using the 'kew' library. The example demonstrates how to create a deferred object, resolve it after a timeout, and handle the resolved value using the 'then' method.
const Q = require('kew');
function asyncTask() {
const defer = Q.defer();
setTimeout(() => {
defer.resolve('Task completed');
}, 1000);
return defer.promise;
}
asyncTask().then(result => {
console.log(result); // 'Task completed'
});
Chaining Promises
This feature allows you to chain multiple promises together. The example demonstrates how to chain two asynchronous tasks, where the second task starts only after the first task is completed.
const Q = require('kew');
function firstTask() {
const defer = Q.defer();
setTimeout(() => {
defer.resolve('First task completed');
}, 1000);
return defer.promise;
}
function secondTask() {
const defer = Q.defer();
setTimeout(() => {
defer.resolve('Second task completed');
}, 1000);
return defer.promise;
}
firstTask()
.then(result => {
console.log(result); // 'First task completed'
return secondTask();
})
.then(result => {
console.log(result); // 'Second task completed'
});
Handling Errors
This feature allows you to handle errors in asynchronous operations. The example demonstrates how to create a promise that rejects with an error and how to handle the error using the 'fail' method.
const Q = require('kew');
function asyncTaskWithError() {
const defer = Q.defer();
setTimeout(() => {
defer.reject(new Error('Something went wrong'));
}, 1000);
return defer.promise;
}
asyncTaskWithError()
.then(result => {
console.log(result);
})
.fail(error => {
console.error(error.message); // 'Something went wrong'
});
Bluebird is a fully-featured promise library for JavaScript. It is known for its performance and extensive API, which includes utilities for working with collections, cancellation, and more. Compared to 'kew', Bluebird offers a richer set of features and is widely used in the JavaScript community.
Q is another promise library for JavaScript that inspired many other promise libraries, including 'kew'. It provides a similar API for creating and managing promises but includes additional features like progress notifications and more comprehensive error handling. Q is more feature-rich compared to 'kew'.
ES6-Promise is a polyfill for the ES6 Promises specification. It provides a minimalistic implementation of promises that adheres to the ES6 standard. While 'kew' offers a more lightweight and efficient solution, ES6-Promise is useful for ensuring compatibility with the ES6 standard.
kew is a lightweight promise framework with an aim of providing a base set of functionality similar to that provided by the Q library.
Why'd we write it?
During our initial usage of Q we found that it was consuming 80% of the cpu under load (primarily in chained database callbacks). We spent some time looking at patching Q and ultimately found that creating our own lightweight library for server-usage would suit our needs better than figuring out how to make a large cross-platform library more performant on one very specific platform.
So this does everything Q does?
Nope! Q is still an awesome library and does way more than kew. We support a tiny subset of the Q functionality (the subset that we happen to use in our actual use cases).
At its core, a Promise is a promise to return a value at some point in the future. A Promise represents a value that will be (or may return an error if something goes wrong). Promises heavily reduce the complexity of asynchronous coding in node.js-like environments. Example:
// assuming the getUrlContent() function exists and retrieves the content of a url
var htmlPromise = getUrlContent(myUrl)
// we can then filter that through an http parser (our imaginary parseHtml() function) asynchronously (or maybe synchronously, who knows)
var tagsPromise = htmlPromise.then(parseHtml)
// and then filter it through another function (getLinks()) which retrieves only the link tags
var linksPromise = tagsPromise.then(getLinks)
// and then parses the actual urls from the links (using parseUrlsFromLinks())
var urlsPromise = linksPromise.then(linksPromise)
// finally, we have a promise that should only provide us with the urls and will run once all the previous steps have ran
urlsPromise.then(function (urls) {
// do something with the urls
})
As a precursor to all the examples, the following code must be at the top of your page:
var Q = require('kew')
The easiest way to start a promise chain is by creating a new promise with a specified literal using Q.resolve() or Q.reject()
// create a promise which passes a value to the next then() call
var successPromise = Q.resolve(val)
// create a promise which throws an error to be caught by the next fail() call
var failPromise = Q.reject(err)
In addition, you can create deferreds which can be used if you need to create a promise but resolve it later:
// create the deferreds
var successDefer = Q.defer()
var failDefer = Q.defer()
// resolve or reject the defers in 1 second
setTimeout(function () {
successDefer.resolve("ok")
failDefer.reject(new Error("this failed"))
}, 1000)
// extract promises from the deferreds
var successPromise = successDefer.promise
var failPromise = failDefer.promise
If you have a node-style callback (taking an Error as the first parameter and a response as the second), you can call the magic makeNodeResolver()
function on a defer to allow the defer to handle the callbacks:
// create the deferred
var defer = Q.defer()
// some node-style function
getObjectFromDatabase(myObjectId, defer.makeNodeResolver())
// grab the output
defer.promise
.then(function (obj) {
// successfully retrieved the object
})
.fail(function (e) {
// failed retrieving the object
})
.then()
When a promise is resolved, you may call the .then()
method to retrieve the value of the promise:
promise.then(function (result) {
// do something with the result here
})
.then()
will in turn return a promise which will return the results of whatever it returns (asynchronously or not), allowing it to be chained indefinitely:
Q.resolve('a')
.then(function (result) {
return result + 'b'
})
.then(function (result) {
return result + 'c'
})
.then(function (result) {
// result should be 'abc'
})
In addition, .then()
calls may return promises themselves, allowing for complex nesting of asynchronous calls in a flat manner:
var htmlPromise = getUrlContent(myUrl)
var tagsPromise = htmlPromise.then(function (html) {
if (!validHtml(html)) throw new Error("Invalid HTML")
// pretend that parseHtml() returns a promise and is asynchronous
return parseHtml(html)
})
.fail()
If a promise is rejected for some reason, you may handle the failure case with the .fail()
function:
getObjectPromise
.fail(function (e) {
console.error("Failed to retrieve object", e)
})
Like .then()
, .fail()
also returns a promise. If the .fail()
call does not throw an error, it will pass the return value of the .fail()
handler to any .then()
calls chained to it:
getObjectPromise
.fail(function (e) {
return retryGetObject(objId)
})
.then(function (obj) {
// yay, we received an object
})
.fail(function (e) {
// the retry failed :(
console.error("Retrieving the object '" + objId + "' failed")
})
})
If you've reached the end of your promise chain, you may call .end()
which signifies that the promise chain is ended and any errors should be thrown in whatever scope the code is currently in:
getObjectPromise
// this will throw an error to the uncaught exception handler if the getObjectPromise call is asynchronous
.end()
.fin()
when things are finishedYou may attach a handler to a promise which will be ran regardless of whether the promise was resolved or rejected (but will only run upon completion). This is useful in the cases where you may have set up resources to run a request and wish to tear them down afterwards. .fin()
will return the promise it is called upon:
var connection = db.connect()
var itemPromise = db.getItem(itemId)
.fin(function () {
db.close()
})
There's only one utility method as of now:
.all()
for many thingsIf you're waiting for multiple promises to return, you may pass them (mixed in with literals if you desire) into .all()
which will create a promise that resolves successfully with an array of the results of the promises:
var promises = []
promises.push(getUrlContent(url1))
promises.push(getUrlContent(url2))
promises.push(getUrlContent(url3))
Q.all(promises)
.then(function (content) {
// content[0] === content for url 1
// content[1] === content for url 2
// content[2] === content for url 3
})
If any of the promises fail, Q.all will fail as well (so make sure to guard your promises with a .fail()
call beforehand if you don't care whether they succeed or not):
var promises = []
promises.push(getUrlContent(url1))
promises.push(getUrlContent(url2))
promises.push(getUrlContent(url3))
Q.all(promises)
.fail(function (e) {
console.log("Failed retrieving a url", e)
})
Questions, comments, bug reports, and pull requests are all welcome. Submit them at the project on GitHub.
Bug reports that include steps-to-reproduce (including code) are the best. Even better, make them in the form of pull requests that update the test suite. Thanks!
Jeremy Stanley supported by The Obvious Corporation.
Copyright 2013 The Obvious Corporation.
Licensed under the Apache License, Version 2.0.
See the top-level file LICENSE.TXT
and
(http://www.apache.org/licenses/LICENSE-2.0).
FAQs
a lightweight promise library for node
The npm package kew receives a total of 312,879 weekly downloads. As such, kew popularity was classified as popular.
We found that kew demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 6 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket researchers found several malicious npm packages typosquatting Chalk and Chokidar, targeting Node.js developers with kill switches and data theft.
Security News
pnpm 10 blocks lifecycle scripts by default to improve security, addressing supply chain attack risks but sparking debate over compatibility and workflow changes.
Product
Socket now supports uv.lock files to ensure consistent, secure dependency resolution for Python projects and enhance supply chain security.