Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
neo4j-driver
Advanced tools
The neo4j-driver npm package is a driver for connecting to and interacting with a Neo4j database from a Node.js application. It provides a set of tools and APIs to perform various operations such as connecting to the database, executing Cypher queries, managing transactions, and handling results.
Connecting to Neo4j
This feature allows you to establish a connection to a Neo4j database using the Bolt protocol. You need to provide the database URL and authentication credentials.
const neo4j = require('neo4j-driver');
const driver = neo4j.driver('bolt://localhost:7687', neo4j.auth.basic('username', 'password'));
const session = driver.session();
Executing Cypher Queries
This feature enables you to execute Cypher queries against the connected Neo4j database. The example demonstrates running a simple query to match and return all nodes.
const result = await session.run('MATCH (n) RETURN n');
result.records.forEach(record => {
console.log(record.get(0));
});
Managing Transactions
This feature allows you to manage transactions, providing a way to commit or rollback operations as needed. The example shows how to create a node within a transaction and handle errors.
const tx = session.beginTransaction();
try {
await tx.run('CREATE (n:Person {name: $name})', { name: 'Alice' });
await tx.commit();
} catch (error) {
await tx.rollback();
throw error;
}
Handling Results
This feature provides methods to handle and process the results returned from Cypher queries. The example demonstrates accessing and logging the properties of a node from the query result.
const result = await session.run('MATCH (n) RETURN n');
const singleRecord = result.records[0];
const node = singleRecord.get(0);
console.log(node.properties);
The 'neo4j' npm package is another driver for interacting with Neo4j databases. It offers similar functionalities to 'neo4j-driver' but may have different API conventions and additional features. It is also designed to work with the Neo4j REST API.
The 'seraph' package is a Node.js library for interacting with Neo4j databases. It provides a higher-level abstraction over the Neo4j REST API, making it easier to work with nodes and relationships. Compared to 'neo4j-driver', it focuses more on simplifying common operations and providing a more intuitive API.
The 'neode' package is an Object Graph Mapper (OGM) for Neo4j, similar to an ORM for relational databases. It allows you to define models and interact with the database using those models. 'neode' provides a higher-level abstraction compared to 'neo4j-driver', making it easier to work with complex data structures.
A database driver for Neo4j 3.0.0+.
Resources to get you started:
Stable channel:
npm install neo4j-driver
Pre-release channel:
npm install neo4j-driver@next
Please note that @next
only points to pre-releases that are not suitable for production use.
To get the latest stable release omit @next
part altogether or use @latest
instead.
var neo4j = require('neo4j-driver').v1
Driver instance should be closed when Node.js application exits:
driver.close()
otherwise application shutdown might hang or it might exit with a non-zero exit code.
We build a special browser version of the driver, which supports connecting to Neo4j over WebSockets. It can be included in an HTML page using one of the following tags:
<!-- Direct reference -->
<script src="lib/browser/neo4j-web.min.js"></script>
<!-- unpkg CDN non-minified -->
<script src="https://unpkg.com/neo4j-driver"></script>
<!-- unpkg CDN minified for production use, version X.Y.Z -->
<script src="https://unpkg.com/neo4j-driver@X.Y.Z/lib/browser/neo4j-web.min.js"></script>
<!-- jsDelivr CDN non-minified -->
<script src="https://cdn.jsdelivr.net/npm/neo4j-driver"></script>
<!-- jsDelivr CDN minified for production use, version X.Y.Z -->
<script src="https://cdn.jsdelivr.net/npm/neo4j-driver@X.Y.Z/lib/browser/neo4j-web.min.js"></script>
This will make a global neo4j
object available, where you can access the v1
API at neo4j.v1
:
var driver = neo4j.v1.driver(
'bolt://localhost',
neo4j.v1.auth.basic('neo4j', 'neo4j')
)
It is not required to explicitly close the driver on a web page. Web browser should gracefully close all open WebSockets when the page is unloaded. However, driver instance should be explicitly closed when it's lifetime is not the same as the lifetime of the web page:
driver.close()
Driver lifecycle:
// Create a driver instance, for the user neo4j with password neo4j.
// It should be enough to have a single driver per database per application.
var driver = neo4j.driver(
'bolt://localhost',
neo4j.auth.basic('neo4j', 'neo4j')
)
// Close the driver when application exits.
// This closes all used network connections.
driver.close()
Session API:
// Create a session to run Cypher statements in.
// Note: Always make sure to close sessions when you are done using them!
var session = driver.session()
// Run a Cypher statement, reading the result in a streaming manner as records arrive:
session
.run('MERGE (alice:Person {name : {nameParam} }) RETURN alice.name AS name', {
nameParam: 'Alice'
})
.subscribe({
onNext: function(record) {
console.log(record.get('name'))
},
onCompleted: function() {
session.close()
},
onError: function(error) {
console.log(error)
}
})
// or
// the Promise way, where the complete result is collected before we act on it:
session
.run('MERGE (james:Person {name : {nameParam} }) RETURN james.name AS name', {
nameParam: 'James'
})
.then(function(result) {
result.records.forEach(function(record) {
console.log(record.get('name'))
})
session.close()
})
.catch(function(error) {
console.log(error)
})
Transaction functions API:
// Transaction functions provide a convenient API with minimal boilerplate and
// retries on network fluctuations and transient errors. Maximum retry time is
// configured on the driver level and is 30 seconds by default:
neo4j.driver('bolt://localhost', neo4j.auth.basic('neo4j', 'neo4j'), {
maxTransactionRetryTime: 30000
})
// It is possible to execute read transactions that will benefit from automatic
// retries on both single instance ('bolt' URI scheme) and Causal Cluster
// ('bolt+routing' URI scheme) and will get automatic load balancing in cluster deployments
var readTxResultPromise = session.readTransaction(function(transaction) {
// used transaction will be committed automatically, no need for explicit commit/rollback
var result = transaction.run(
'MATCH (person:Person) RETURN person.name AS name'
)
// at this point it is possible to either return the result or process it and return the
// result of processing it is also possible to run more statements in the same transaction
return result
})
// returned Promise can be later consumed like this:
readTxResultPromise
.then(function(result) {
session.close()
console.log(result.records)
})
.catch(function(error) {
console.log(error)
})
// It is possible to execute write transactions that will benefit from automatic retries
// on both single instance ('bolt' URI scheme) and Causal Cluster ('bolt+routing' URI scheme)
var writeTxResultPromise = session.writeTransaction(function(transaction) {
// used transaction will be committed automatically, no need for explicit commit/rollback
var result = transaction.run(
"MERGE (alice:Person {name : 'Alice' }) RETURN alice.name AS name"
)
// at this point it is possible to either return the result or process it and return the
// result of processing it is also possible to run more statements in the same transaction
return result.records.map(function(record) {
return record.get('name')
})
})
// returned Promise can be later consumed like this:
writeTxResultPromise
.then(function(namesArray) {
session.close()
console.log(namesArray)
})
.catch(function(error) {
console.log(error)
})
Explicit transactions API:
// run statement in a transaction
var tx = session.beginTransaction()
tx.run('MERGE (bob:Person {name : {nameParam} }) RETURN bob.name AS name', {
nameParam: 'Bob'
}).subscribe({
onNext: function(record) {
console.log(record.get('name'))
},
onCompleted: function() {
console.log('First query completed')
},
onError: function(error) {
console.log(error)
}
})
tx.run('MERGE (adam:Person {name : {nameParam} }) RETURN adam.name AS name', {
nameParam: 'Adam'
}).subscribe({
onNext: function(record) {
console.log(record.get('name'))
},
onCompleted: function() {
console.log('Second query completed')
},
onError: function(error) {
console.log(error)
}
})
//decide if the transaction should be committed or rolled back
var success = false
if (success) {
tx.commit().subscribe({
onCompleted: function() {
// this transaction is now committed and session can be closed
session.close()
},
onError: function(error) {
console.log(error)
}
})
} else {
//transaction is rolled black and nothing is created in the database
console.log('rolled back')
tx.rollback()
}
Subscriber API allows following combinations of onNext
, onCompleted
and onError
callback invocations:
onNext
followed by onCompleted
when operation was successful. onError
will not be invoked
in this caseonNext
followed by onError
when operation failed. Callback onError
might be invoked after
couple onNext
invocations because records are streamed lazily by the database. onCompleted
will not be invoked
in this caseIn a single session, multiple queries will be executed serially. In order to parallelize queries, multiple sessions are required.
npm install
npm run build
This produces browser-compatible standalone files under lib/browser
and a Node.js module version under lib/
.
See files under examples/
on how to use.
Tests require latest Boltkit to be installed in the system. It is needed to start, stop and configure local test database. Boltkit can be installed with the following command:
pip install --upgrade boltkit
To run tests against "default" Neo4j version:
./runTests.sh
To run tests against specified Neo4j version:
./runTests.sh '-e 3.1.3'
Simple npm test
can also be used if you already have a running version of a compatible Neo4j server.
For development, you can have the build tool rerun the tests each time you change the source code:
gulp watch-n-test
Running tests on windows requires PhantomJS installed and its bin folder added in windows system variable Path
.
To run the same test suite, run .\runTest.ps1
instead in powershell with admin right.
The admin right is required to start/stop Neo4j properly as a system service.
While there is no need to grab admin right if you are running tests against an existing Neo4j server using npm test
.
The Neo4j type system includes 64-bit integer values.
However, JavaScript can only safely represent integers between -(2
53
- 1)
and (2
53
- 1)
.
In order to support the full Neo4j type system, the driver will not automatically convert to javascript integers.
Any time the driver receives an integer value from Neo4j, it will be represented with an internal integer type by the driver.
Number written directly e.g. session.run("CREATE (n:Node {age: {age}})", {age: 22})
will be of type Float
in Neo4j.
To write the age
as an integer the neo4j.int
method should be used:
var neo4j = require('neo4j-driver').v1
session.run('CREATE (n {age: {myIntParam}})', { myIntParam: neo4j.int(22) })
To write integers larger than can be represented as JavaScript numbers, use a string argument to neo4j.int
:
session.run('CREATE (n {age: {myIntParam}})', {
myIntParam: neo4j.int('9223372036854775807')
})
Since Integers can be larger than can be represented as JavaScript numbers, it is only safe to convert to JavaScript numbers if you know that they will not exceed (2
53
- 1)
in size.
In order to facilitate working with integers the driver include neo4j.isInt
, neo4j.integer.inSafeRange
, neo4j.integer.toNumber
, and neo4j.integer.toString
.
var aSmallInteger = neo4j.int(123)
if (neo4j.integer.inSafeRange(aSmallInteger)) {
var aNumber = aSmallInteger.toNumber()
}
If you will be handling integers larger than that, you should convert them to strings:
var aLargerInteger = neo4j.int('9223372036854775807')
if (!neo4j.integer.inSafeRange(aLargerInteger)) {
var integerAsString = aLargerInteger.toString()
}
Starting from 1.6 version of the driver it is possible to configure it to only return native numbers instead of custom Integer
objects.
The configuration option affects all integers returned by the driver. Enabling this option can result in a loss of precision and incorrect numeric
values being returned if the database contains integer numbers outside of the range [Number.MIN_SAFE_INTEGER, Number.MAX_SAFE_INTEGER]
.
To enable potentially lossy integer values use the driver's configuration object:
var driver = neo4j.driver(
'bolt://localhost',
neo4j.auth.basic('neo4j', 'neo4j'),
{ disableLosslessIntegers: true }
)
FAQs
The official Neo4j driver for Javascript
The npm package neo4j-driver receives a total of 98,994 weekly downloads. As such, neo4j-driver popularity was classified as popular.
We found that neo4j-driver demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 2 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.