Security News
NVD Backlog Tops 20,000 CVEs Awaiting Analysis as NIST Prepares System Updates
NVD’s backlog surpasses 20,000 CVEs as analysis slows and NIST announces new system updates to address ongoing delays.
The 'open' npm package is a simple utility to open a file, URL, or executable in the default program associated with that file type on the user's operating system. It can be used to open resources in the default browser, editor, or any other program.
Open URLs in the default web browser
This feature allows you to open a URL in the user's default web browser.
const open = require('open');
open('https://www.example.com');
Open files in the default application
This feature allows you to open a file in the default application associated with its file type, such as a PDF in a PDF viewer.
const open = require('open');
open('path/to/file.pdf');
Open files with a specific application
This feature allows you to open a file with a specific application, bypassing the default application.
const open = require('open');
open('path/to/file.txt', {app: {name: 'notepad'}});
Open files with application and arguments
This feature allows you to open a file with a specific application and pass command-line arguments to the application.
const open = require('open');
open('path/to/file', {app: {name: 'app-name', arguments: ['--arg1', '--arg2']}});
The 'opn' package was the predecessor to 'open' and has since been deprecated in favor of 'open'. It offered similar functionality to open resources with the default application or a specified one.
While 'execa' is more of a process execution tool than a direct alternative to 'open', it can be used to achieve similar results by running system commands to open files or URLs with specific applications.
The 'start' package is another alternative that can open files or URLs using the default application. It is less feature-rich compared to 'open' and is specific to Windows.
Open stuff like URLs, files, executables. Cross-platform.
This is meant to be used in command-line tools and scripts, not in the browser.
If you need this for Electron, use shell.openPath()
instead.
Note: The original open
package was previously deprecated in favor of this package, and we got the name, so this package is now named open
instead of opn
. If you're upgrading from the original open
package (open@0.0.5
or lower), keep in mind that the API is different.
spawn
instead of exec
.node-open
issues.xdg-open
script for Linux.$ npm install open
const open = require('open');
(async () => {
// Opens the image in the default image viewer and waits for the opened app to quit.
await open('unicorn.png', {wait: true});
console.log('The image viewer app quit');
// Opens the URL in the default browser.
await open('https://sindresorhus.com');
// Opens the URL in a specified browser.
await open('https://sindresorhus.com', {app: 'firefox'});
// Specify app arguments.
await open('https://sindresorhus.com', {app: ['google chrome', '--incognito']});
})();
It uses the command open
on macOS, start
on Windows and xdg-open
on other platforms.
Returns a promise for the spawned child process. You would normally not need to use this for anything, but it can be useful if you'd like to attach custom event listeners or perform other operations directly on the spawned process.
Type: string
The thing you want to open. Can be a URL, file, or executable.
Opens in the default app for the file type. For example, URLs opens in your default browser.
Type: object
Type: boolean
Default: false
Wait for the opened app to exit before fulfilling the promise. If false
it's fulfilled immediately when opening the app.
Note that it waits for the app to exit, not just for the window to close.
On Windows, you have to explicitly specify an app for it to be able to wait.
Type: boolean
Default: false
Do not bring the app to the foreground.
Type: string | string[]
Specify the app to open the target
with, or an array with the app and app arguments.
The app name is platform dependent. Don't hard code it in reusable modules. For example, Chrome is google chrome
on macOS, google-chrome
on Linux and chrome
on Windows.
You may also pass in the app's full path. For example on WSL, this can be /mnt/c/Program Files (x86)/Google/Chrome/Application/chrome.exe
for the Windows installation of Chrome.
Type: boolean
Default: false
Uses URL
to encode the target before executing it.
We do not recommend using it on targets that are not URLs.
Especially useful when dealing with the double-quotes on Windows caveat.
Type: boolean
Default: false
Allow the opened app to exit with nonzero exit code when the wait
option is true
.
We do not recommend setting this option. The convention for success is exit code zero.
TL;DR: All double-quotes are stripped from the target
and do not get to your desired destination (on Windows!).
Due to specific behaviors of Window's Command Prompt (cmd.exe
) regarding ampersand (&
) characters breaking commands and URLs, double-quotes are now a special case.
The solution (#146) to this and other problems was to leverage the fact that cmd.exe
interprets a double-quoted argument as a plain text argument just by quoting it (like Node.js already does). Unfortunately, cmd.exe
can only do one of two things: handle them all OR not handle them at all. As per its own documentation:
If /C or /K is specified, then the remainder of the command line after the switch is processed as a command line, where the following logic is used to process quote (") characters:
- If all of the following conditions are met, then quote characters on the command line are preserved:
- no /S switch
- exactly two quote characters
- no special characters between the two quote characters, where special is one of: &<>()@^|
- there are one or more whitespace characters between the two quote characters
- the string between the two quote characters is the name of an executable file.
- Otherwise, old behavior is to see if the first character is a quote character and if so, strip the leading character and remove the last quote character on the command line, preserving any text after the last quote character.
The option that solved all of the problems was the second one, and for additional behavior consistency we're also now using the /S
switch, so we always get the second option. The caveat is that this built-in double-quotes handling ends up stripping all of them from the command line and so far we weren't able to find an escaping method that works (if you do, please feel free to contribute!).
To make this caveat somewhat less impactful (at least for URLs), check out the url option. Double-quotes will be "preserved" when using it with an URL.
FAQs
Open stuff like URLs, files, executables. Cross-platform.
The npm package open receives a total of 24,457,741 weekly downloads. As such, open popularity was classified as popular.
We found that open demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
NVD’s backlog surpasses 20,000 CVEs as analysis slows and NIST announces new system updates to address ongoing delays.
Security News
Research
A malicious npm package disguised as a WhatsApp client is exploiting authentication flows with a remote kill switch to exfiltrate data and destroy files.
Security News
PyPI now supports digital attestations, enhancing security and trust by allowing package maintainers to verify the authenticity of Python packages.