Research
Security News
Malicious npm Packages Inject SSH Backdoors via Typosquatted Libraries
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
The nopt npm package is a command-line option parser for Node.js. It helps in parsing the arguments passed to a Node.js application from the command line, allowing developers to easily extract and use options and values provided by the users.
Option Parsing
This feature allows you to define known options and parse the command line arguments to extract those options. In the code sample, 'foo' expects a string and 'bar' is a boolean flag.
const nopt = require('nopt');
const knownOpts = { 'foo': [String, null], 'bar': [Boolean, null] };
const parsed = nopt(knownOpts, process.argv, 2);
console.log(parsed);
Type Coercion
This feature automatically converts command line arguments to the specified type. In the code sample, 'size' is expected to be a number and nopt will attempt to parse it as such.
const nopt = require('nopt');
const knownOpts = { 'size': Number };
const parsed = nopt(knownOpts, process.argv, 2);
console.log(parsed.size); // Will be a number if provided, or undefined
Shorthands
This feature allows you to define shorthand notations for options. In the code sample, '-v' is a shorthand for '--verbose'.
const nopt = require('nopt');
const knownOpts = { 'verbose': Boolean };
const shorthands = { 'v': '--verbose' };
const parsed = nopt(knownOpts, shorthands, process.argv, 2);
console.log(parsed.verbose); // Will be true if '-v' is used
Yargs is a powerful npm package that provides a rich set of features for command-line argument parsing. It includes features like command handling, automatic help generation, and more. Compared to nopt, yargs offers a higher level of abstraction and more utilities for building complex CLI tools.
Commander is another popular npm package for parsing command-line options. It provides an API for specifying commands, options, and subcommands, making it suitable for building CLI applications with complex command structures. Commander is more opinionated and structured compared to nopt, which is more minimalistic and flexible.
Minimist is a minimalistic command-line option parser. It is simpler than nopt and does not include features like type coercion or shorthands out of the box. Minimist is a good choice for those who need a lightweight solution without additional features that nopt provides.
Optimist is a deprecated npm package that was once used for command-line option parsing. It has been superseded by yargs, which is maintained by the same authors. Optimist is no longer recommended for use, but it historically offered similar functionality to nopt.
If you want to write an option parser, and have it be good, there are two ways to do it. The Right Way, and the Wrong Way.
The Wrong Way is to sit down and write an option parser. We've all done that.
The Right Way is to write some complex configurable program with so many options that you hit the limit of your frustration just trying to manage them all, and defer it with duct-tape solutions until you see exactly to the core of the problem, and finally snap and write an awesome option parser.
If you want to write an option parser, don't write an option parser. Write a package manager, or a source control system, or a service restarter, or an operating system. You probably won't end up with a good one of those, but if you don't give up, and you are relentless and diligent enough in your procrastination, you may just end up with a very nice option parser.
// my-program.js
var nopt = require("nopt")
, Stream = require("stream").Stream
, path = require("path")
, knownOpts = { "foo" : [String, null]
, "bar" : [Stream, Number]
, "baz" : path
, "bloo" : [ "big", "medium", "small" ]
, "flag" : Boolean
, "pick" : Boolean
, "many1" : [String, Array]
, "many2" : [path]
}
, shortHands = { "foofoo" : ["--foo", "Mr. Foo"]
, "b7" : ["--bar", "7"]
, "m" : ["--bloo", "medium"]
, "p" : ["--pick"]
, "f" : ["--flag"]
}
// everything is optional.
// knownOpts and shorthands default to {}
// arg list defaults to process.argv
// slice defaults to 2
, parsed = nopt(knownOpts, shortHands, process.argv, 2)
console.log(parsed)
This would give you support for any of the following:
$ node my-program.js --foo "blerp" --no-flag
{ "foo" : "blerp", "flag" : false }
$ node my-program.js ---bar 7 --foo "Mr. Hand" --flag
{ bar: 7, foo: "Mr. Hand", flag: true }
$ node my-program.js --foo "blerp" -f -----p
{ foo: "blerp", flag: true, pick: true }
$ node my-program.js -fp --foofoo
{ foo: "Mr. Foo", flag: true, pick: true }
$ node my-program.js --foofoo -- -fp # -- stops the flag parsing.
{ foo: "Mr. Foo", argv: { remain: ["-fp"] } }
$ node my-program.js --blatzk -fp # unknown opts are ok.
{ blatzk: true, flag: true, pick: true }
$ node my-program.js --blatzk=1000 -fp # but you need to use = if they have a value
{ blatzk: 1000, flag: true, pick: true }
$ node my-program.js --no-blatzk -fp # unless they start with "no-"
{ blatzk: false, flag: true, pick: true }
$ node my-program.js --baz b/a/z # known paths are resolved.
{ baz: "/Users/isaacs/b/a/z" }
# if Array is one of the types, then it can take many
# values, and will always be an array. The other types provided
# specify what types are allowed in the list.
$ node my-program.js --many1 5 --many1 null --many1 foo
{ many1: ["5", "null", "foo"] }
$ node my-program.js --many2 foo --many2 bar
{ many2: ["/path/to/foo", "path/to/bar"] }
Read the tests at the bottom of lib/nopt.js
for more examples of
what this puppy can do.
The following types are supported, and defined on nopt.typeDefs
Date
is one of the options,
then it will return a Date object, not a string.true
or false
. If an option is a boolean,
then it does not need a value, and its presence will imply true
as
the value. To negate boolean flags, do --no-whatever
or --whatever false
outfd
and logfd
config options.)Array
is specified as one of the types, then the value
will be parsed as a list of options. This means that multiple values
can be specified, and that the value will always be an array.If a type is an array of values not on this list, then those are
considered valid values. For instance, in the example above, the
--bloo
option can only be one of "big"
, "medium"
, or "small"
,
and any other value will be rejected.
When parsing unknown fields, "true"
, "false"
, and "null"
will be
interpreted as their JavaScript equivalents.
You can also mix types and values, or multiple types, in a list. For
instance { blah: [Number, null] }
would allow a value to be set to
either a Number or null. When types are ordered, this implies a
preference, and the first type that can be used to properly interpret
the value will be used.
To define a new type, add it to nopt.typeDefs
. Each item in that
hash is an object with a type
member and a validate
method. The
type
member is an object that matches what goes in the type list. The
validate
method is a function that gets called with validate(data, key, val)
. Validate methods should assign data[key]
to the valid
value of val
if it can be handled properly, or return boolean
false
if it cannot.
You can also call nopt.clean(data, types, typeDefs)
to clean up a
config object and remove its invalid properties.
By default, nopt outputs a warning to standard error when invalid values for
known options are found. You can change this behavior by assigning a method
to nopt.invalidHandler
. This method will be called with
the offending nopt.invalidHandler(key, val, types)
.
If no nopt.invalidHandler
is assigned, then it will console.error
its whining. If it is assigned to boolean false
then the warning is
suppressed.
Yes, they are supported. If you define options like this:
{ "foolhardyelephants" : Boolean
, "pileofmonkeys" : Boolean }
Then this will work:
node program.js --foolhar --pil
node program.js --no-f --pileofmon
# etc.
Shorthands are a hash of shorter option names to a snippet of args that they expand to.
If multiple one-character shorthands are all combined, and the combination does not unambiguously match any other option or shorthand, then they will be broken up into their constituent parts. For example:
{ "s" : ["--loglevel", "silent"]
, "g" : "--global"
, "f" : "--force"
, "p" : "--parseable"
, "l" : "--long"
}
npm ls -sgflp
# just like doing this:
npm ls --loglevel silent --global --force --long --parseable
The config object returned by nopt is given a special member called
argv
, which is an object with the following fields:
remain
: The remaining args after all the parsing has occurred.original
: The args as they originally appeared.cooked
: The args after flags and shorthands are expanded.Node programs are called with more or less the exact argv as it appears
in C land, after the v8 and node-specific options have been plucked off.
As such, argv[0]
is always node
and argv[1]
is always the
JavaScript program being run.
That's usually not very useful to you. So they're sliced off by
default. If you want them, then you can pass in 0
as the last
argument, or any other number that you'd like to slice off the start of
the list.
FAQs
Option parsing for Node, supporting types, shorthands, etc. Used by npm.
We found that nopt demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 6 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
Security News
MITRE's 2024 CWE Top 25 highlights critical software vulnerabilities like XSS, SQL Injection, and CSRF, reflecting shifts due to a refined ranking methodology.
Security News
In this segment of the Risky Business podcast, Feross Aboukhadijeh and Patrick Gray discuss the challenges of tracking malware discovered in open source softare.