Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
minimatch
Advanced tools
The minimatch npm package is a minimal matching utility that implements the string pattern matching functionality, commonly known as 'globbing'. It is used to match text strings with wildcard characters, such as '*' for multiple characters or '?' for a single character. It is often used in file path matching and filtering operations.
Basic string matching
This feature allows for basic pattern matching where a string is tested against a pattern. Wildcards like '*' and '?' can be used to match multiple or single characters respectively.
"use strict";
const minimatch = require("minimatch");
// Match a literal string
console.log(minimatch("foo.js", "foo.js")); // true
// Match with a single wildcard
console.log(minimatch("foo.js", "*.js")); // true
// Match with a single character wildcard
console.log(minimatch("foo.js", "f?o.js")); // true
Negation
This feature allows patterns to be negated so that they match strings that do not match the given pattern.
"use strict";
const minimatch = require("minimatch");
// Negate the match
console.log(minimatch("foo.js", "!foo.js")); // false
console.log(minimatch("bar.js", "!foo.js")); // true
Match options
Minimatch allows for additional options to be set, such as case-insensitivity, to customize the matching behavior.
"use strict";
const minimatch = require("minimatch");
// Match with options
const options = {nocase: true};
console.log(minimatch("FOO.JS", "*.js", options)); // true
Micromatch is a faster and more efficient globbing library with a broader feature set compared to minimatch. It offers advanced pattern matching with support for multiple patterns and extended globbing features.
Glob is a package that provides pattern matching and file system operations. It is more focused on file system globbing rather than string pattern matching, but it uses minimatch under the hood for its matching capabilities.
Multimatch extends minimatch to allow for multiple patterns to be specified at once. It is useful when you need to match against an array of patterns rather than a single pattern.
Anymatch is a package that allows for matching strings against not just patterns, but also against regular expressions and functions. It provides a more flexible matching mechanism compared to minimatch.
A minimal matching utility.
This is the matching library used internally by npm.
It works by converting glob expressions into JavaScript RegExp
objects.
// hybrid module, load with require() or import
import { minimatch } from 'minimatch'
// or:
const { minimatch } = require('minimatch')
// default export also works
import minimatch from 'minimatch'
// or:
const minimatch = require('minimatch')
minimatch('bar.foo', '*.foo') // true!
minimatch('bar.foo', '*.bar') // false!
minimatch('bar.foo', '*.+(bar|foo)', { debug: true }) // true, and noisy!
Supports these glob features:
**
matchingSee:
man sh
man bash
man 3 fnmatch
man 5 gitignore
Please only use forward-slashes in glob expressions.
Though windows uses either /
or \
as its path separator, only /
characters are used by this glob implementation. You must use
forward-slashes only in glob expressions. Back-slashes in patterns
will always be interpreted as escape characters, not path separators.
Note that \
or /
will be interpreted as path separators in paths on
Windows, and will match against /
in glob expressions.
So just always use /
in patterns.
On Windows, UNC paths like //?/c:/...
or
//ComputerName/Share/...
are handled specially.
//*
will match //x
, but not /x
.//?/<drive letter>:
will not treat
the ?
as a wildcard character. Instead, it will be treated
as a normal string.//?/<drive letter>:/...
will match
file paths starting with <drive letter>:/...
, and vice versa,
as if the //?/
was not present. This behavior only is
present when the drive letters are a case-insensitive match to
one another. The remaining portions of the path/pattern are
compared case sensitively, unless nocase:true
is set.Note that specifying a UNC path using \
characters as path
separators is always allowed in the file path argument, but only
allowed in the pattern argument when windowsPathsNoEscape: true
is set in the options.
Create a minimatch object by instantiating the minimatch.Minimatch
class.
var Minimatch = require('minimatch').Minimatch
var mm = new Minimatch(pattern, options)
pattern
The original pattern the minimatch object represents.
options
The options supplied to the constructor.
set
A 2-dimensional array of regexp or string expressions.
Each row in the
array corresponds to a brace-expanded pattern. Each item in the row
corresponds to a single path-part. For example, the pattern
{a,b/c}/d
would expand to a set of patterns like:
[ [ a, d ]
, [ b, c, d ] ]
If a portion of the pattern doesn't have any "magic" in it
(that is, it's something like "foo"
rather than fo*o?
), then it
will be left as a string rather than converted to a regular
expression.
regexp
Created by the makeRe
method. A single regular expression
expressing the entire pattern. This is useful in cases where you wish
to use the pattern somewhat like fnmatch(3)
with FNM_PATH
enabled.
negate
True if the pattern is negated.
comment
True if the pattern is a comment.
empty
True if the pattern is ""
.
makeRe
Generate the regexp
member if necessary, and return it.
Will return false
if the pattern is invalid.match(fname)
Return true if the filename matches the pattern, or
false otherwise.matchOne(fileArray, patternArray, partial)
Take a /
-split
filename, and match it against a single row in the regExpSet
. This
method is mainly for internal use, but is exposed so that it can be
used by a glob-walker that needs to avoid excessive filesystem calls.All other methods are internal, and will be called as necessary.
Main export. Tests a path against the pattern using the options.
var isJS = minimatch(file, '*.js', { matchBase: true })
Returns a function that tests its
supplied argument, suitable for use with Array.filter
. Example:
var javascripts = fileList.filter(minimatch.filter('*.js', { matchBase: true }))
Match against the list of files, in the style of fnmatch or glob. If nothing is matched, and options.nonull is set, then return a list containing the pattern itself.
var javascripts = minimatch.match(fileList, '*.js', { matchBase: true })
Make a regular expression object from the pattern.
All options are false
by default.
Dump a ton of stuff to stderr.
Do not expand {a,b}
and {1..3}
brace sets.
Disable **
matching against multiple folder names.
Allow patterns to match filenames starting with a period, even if the pattern does not explicitly have a period in that spot.
Note that by default, a/**/b
will not match a/.d/b
, unless dot
is set.
Disable "extglob" style patterns like +(a|b)
.
Perform a case-insensitive match.
When used with {nocase: true}
, create regular expressions that
are case-insensitive, but leave string match portions untouched.
Has no effect when used without {nocase: true}
Useful when some other form of case-insensitive matching is used, or if the original string representation is useful in some other way.
When a match is not found by minimatch.match
, return a list containing
the pattern itself if this option is set. When not set, an empty list
is returned if there are no matches.
If set, then patterns without slashes will be matched
against the basename of the path if it contains slashes. For example,
a?b
would match the path /xyz/123/acb
, but not /xyz/acb/123
.
Suppress the behavior of treating #
at the start of a pattern as a
comment.
Suppress the behavior of treating a leading !
character as negation.
Returns from negate expressions the same as if they were not negated. (Ie, true on a hit, false on a miss.)
Compare a partial path to a pattern. As long as the parts of the path that are present are not contradicted by the pattern, it will be treated as a match. This is useful in applications where you're walking through a folder structure, and don't yet have the full path, but want to ensure that you do not walk down paths that can never be a match.
For example,
minimatch('/a/b', '/a/*/c/d', { partial: true }) // true, might be /a/b/c/d
minimatch('/a/b', '/**/d', { partial: true }) // true, might be /a/b/.../d
minimatch('/x/y/z', '/a/**/z', { partial: true }) // false, because x !== a
Use \\
as a path separator only, and never as an escape
character. If set, all \\
characters are replaced with /
in
the pattern. Note that this makes it impossible to match
against paths containing literal glob pattern characters, but
allows matching with patterns constructed using path.join()
and
path.resolve()
on Windows platforms, mimicking the (buggy!)
behavior of earlier versions on Windows. Please use with
caution, and be mindful of the caveat about Windows
paths.
For legacy reasons, this is also set if
options.allowWindowsEscape
is set to the exact value false
.
By default, multiple /
characters (other than the leading //
in a UNC path, see "UNC Paths" above) are treated as a single
/
.
That is, a pattern like a///b
will match the file path a/b
.
Set preserveMultipleSlashes: true
to suppress this behavior.
While strict compliance with the existing standards is a worthwhile goal, some discrepancies exist between minimatch and other implementations, and are intentional.
If the pattern starts with a !
character, then it is negated. Set the
nonegate
flag to suppress this behavior, and treat leading !
characters normally. This is perhaps relevant if you wish to start the
pattern with a negative extglob pattern like !(a|B)
. Multiple !
characters at the start of a pattern will negate the pattern multiple
times.
If a pattern starts with #
, then it is treated as a comment, and
will not match anything. Use \#
to match a literal #
at the
start of a line, or set the nocomment
flag to suppress this behavior.
The double-star character **
is supported by default, unless the
noglobstar
flag is set. This is supported in the manner of bsdglob
and bash 4.1, where **
only has special significance if it is the only
thing in a path part. That is, a/**/b
will match a/x/y/b
, but
a/**b
will not.
If an escaped pattern has no matches, and the nonull
flag is set,
then minimatch.match returns the pattern as-provided, rather than
interpreting the character escapes. For example,
minimatch.match([], "\\*a\\?")
will return "\\*a\\?"
rather than
"*a?"
. This is akin to setting the nullglob
option in bash, except
that it does not resolve escaped pattern characters.
If brace expansion is not disabled, then it is performed before any
other interpretation of the glob pattern. Thus, a pattern like
+(a|{b),c)}
, which would not be valid in bash or zsh, is expanded
first into the set of +(a|b)
and +(a|c)
, and those patterns are
checked for validity. Since those two are valid, matching proceeds.
Note that fnmatch(3)
in libc is an extremely naive string comparison
matcher, which does not do anything special for slashes. This library is
designed to be used in glob searching and file walkers, and so it does do
special things with /
. Thus, foo*
will not match foo/bar
in this
library, even though it would in fnmatch(3)
.
FAQs
a glob matcher in javascript
The npm package minimatch receives a total of 153,774,799 weekly downloads. As such, minimatch popularity was classified as popular.
We found that minimatch demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.