Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
The 'open' npm package is a simple utility to open a file, URL, or executable in the default program associated with that file type on the user's operating system. It can be used to open resources in the default browser, editor, or any other program.
Open URLs in the default web browser
This feature allows you to open a URL in the user's default web browser.
const open = require('open');
open('https://www.example.com');
Open files in the default application
This feature allows you to open a file in the default application associated with its file type, such as a PDF in a PDF viewer.
const open = require('open');
open('path/to/file.pdf');
Open files with a specific application
This feature allows you to open a file with a specific application, bypassing the default application.
const open = require('open');
open('path/to/file.txt', {app: {name: 'notepad'}});
Open files with application and arguments
This feature allows you to open a file with a specific application and pass command-line arguments to the application.
const open = require('open');
open('path/to/file', {app: {name: 'app-name', arguments: ['--arg1', '--arg2']}});
The 'opn' package was the predecessor to 'open' and has since been deprecated in favor of 'open'. It offered similar functionality to open resources with the default application or a specified one.
While 'execa' is more of a process execution tool than a direct alternative to 'open', it can be used to achieve similar results by running system commands to open files or URLs with specific applications.
The 'start' package is another alternative that can open files or URLs using the default application. It is less feature-rich compared to 'open' and is specific to Windows.
Open stuff like URLs, files, executables. Cross-platform.
This is meant to be used in command-line tools and scripts, not in the browser.
If you need this for Electron, use shell.openPath()
instead.
This package does not make any security guarantees. If you pass in untrusted input, it's up to you to properly sanitize it.
spawn
instead of exec
.node-open
issues.xdg-open
script for Linux.npm install open
Warning: This package is native ESM and no longer provides a CommonJS export. If your project uses CommonJS, you will have to convert to ESM or use the dynamic import()
function. Please don't open issues for questions regarding CommonJS / ESM.
import open, {openApp, apps} from 'open';
// Opens the image in the default image viewer and waits for the opened app to quit.
await open('unicorn.png', {wait: true});
console.log('The image viewer app quit');
// Opens the URL in the default browser.
await open('https://sindresorhus.com');
// Opens the URL in a specified browser.
await open('https://sindresorhus.com', {app: {name: 'firefox'}});
// Specify app arguments.
await open('https://sindresorhus.com', {app: {name: 'google chrome', arguments: ['--incognito']}});
// Opens the URL in the default browser in incognito mode.
await open('https://sindresorhus.com', {app: {name: apps.browserPrivate}});
// Open an app.
await openApp('xcode');
// Open an app with arguments.
await openApp(apps.chrome, {arguments: ['--incognito']});
It uses the command open
on macOS, start
on Windows and xdg-open
on other platforms.
Returns a promise for the spawned child process. You would normally not need to use this for anything, but it can be useful if you'd like to attach custom event listeners or perform other operations directly on the spawned process.
Type: string
The thing you want to open. Can be a URL, file, or executable.
Opens in the default app for the file type. For example, URLs opens in your default browser.
Type: object
Type: boolean
Default: false
Wait for the opened app to exit before fulfilling the promise. If false
it's fulfilled immediately when opening the app.
Note that it waits for the app to exit, not just for the window to close.
On Windows, you have to explicitly specify an app for it to be able to wait.
Type: boolean
Default: false
Do not bring the app to the foreground.
Type: boolean
Default: false
Open a new instance of the app even it's already running.
A new instance is always opened on other platforms.
Type: {name: string | string[], arguments?: string[]} | Array<{name: string | string[], arguments: string[]}>
Specify the name
of the app to open the target
with, and optionally, app arguments
. app
can be an array of apps to try to open and name
can be an array of app names to try. If each app fails, the last error will be thrown.
The app name is platform dependent. Don't hard code it in reusable modules. For example, Chrome is google chrome
on macOS, google-chrome
on Linux and chrome
on Windows. If possible, use apps
which auto-detects the correct binary to use.
You may also pass in the app's full path. For example on WSL, this can be /mnt/c/Program Files (x86)/Google/Chrome/Application/chrome.exe
for the Windows installation of Chrome.
The app arguments
are app dependent. Check the app's documentation for what arguments it accepts.
Type: boolean
Default: false
Allow the opened app to exit with nonzero exit code when the wait
option is true
.
We do not recommend setting this option. The convention for success is exit code zero.
Open an app.
Returns a promise for the spawned child process. You would normally not need to use this for anything, but it can be useful if you'd like to attach custom event listeners or perform other operations directly on the spawned process.
Type: string
The app name is platform dependent. Don't hard code it in reusable modules. For example, Chrome is google chrome
on macOS, google-chrome
on Linux and chrome
on Windows. If possible, use apps
which auto-detects the correct binary to use.
You may also pass in the app's full path. For example on WSL, this can be /mnt/c/Program Files (x86)/Google/Chrome/Application/chrome.exe
for the Windows installation of Chrome.
Type: object
Same options as open
except app
and with the following additions:
Type: string[]
Default: []
Arguments passed to the app.
These arguments are app dependent. Check the app's documentation for what arguments it accepts.
An object containing auto-detected binary names for common apps. Useful to work around cross-platform differences.
import open, {apps} from 'open';
await open('https://google.com', {
app: {
name: apps.chrome
}
});
browser
and browserPrivate
can also be used to access the user's default browser through default-browser
.
chrome
- Web browserfirefox
- Web browseredge
- Web browserbrowser
- Default web browserbrowserPrivate
- Default web browser in incognito modebrowser
and browserPrivate
only supports chrome
, firefox
, and edge
.
FAQs
Open stuff like URLs, files, executables. Cross-platform.
The npm package open receives a total of 24,830,503 weekly downloads. As such, open popularity was classified as popular.
We found that open demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.