Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
The 'ow' npm package is a powerful and expressive validation library for Node.js. It allows developers to validate arguments and inputs in a concise and readable manner. 'ow' provides a variety of built-in validators and supports custom validation logic, making it a versatile tool for ensuring data integrity in applications.
Basic Type Validation
This feature allows you to validate the type of a variable. In this example, the function `validateString` checks if the input is a string. If the input is not a string, an error is thrown.
const ow = require('ow');
const validateString = (input) => {
ow(input, ow.string);
};
validateString('Hello, World!'); // Passes
validateString(123); // Throws an error
Complex Object Validation
This feature allows you to validate the shape and properties of an object. In this example, the function `validateUser` checks if the user object has a `name` property that is a string with a minimum length of 3 and an `age` property that is a positive integer.
const ow = require('ow');
const validateUser = (user) => {
ow(user, ow.object.exactShape({
name: ow.string.minLength(3),
age: ow.number.integer.positive
}));
};
validateUser({ name: 'Alice', age: 25 }); // Passes
validateUser({ name: 'Al', age: -5 }); // Throws an error
Custom Validation
This feature allows you to create custom validation logic. In this example, the function `validateEvenNumber` checks if the input is an even number. If the input is not an even number, an error is thrown with a custom message.
const ow = require('ow');
const validateEvenNumber = (input) => {
ow(input, ow.number.validate(n => ({
validator: n % 2 === 0,
message: 'Expected an even number'
})));
};
validateEvenNumber(4); // Passes
validateEvenNumber(3); // Throws an error
Joi is a powerful schema description language and data validator for JavaScript. It allows you to create blueprints or schemas for JavaScript objects to ensure validation of key information. Compared to 'ow', Joi offers a more extensive API and is widely used in the industry for complex validation tasks.
Yup is a JavaScript schema builder for value parsing and validation. It is similar to Joi but is often preferred for its simplicity and ease of use, especially in React applications. Yup provides a fluent API for object schema validation and is highly customizable.
Validator is a library of string validators and sanitizers. It is less comprehensive than 'ow' but is highly efficient for validating and sanitizing strings. Validator is often used for simple validation tasks such as checking email formats, URLs, and other string-based validations.
Function argument validation for humans
For schema validation, I recommend zod
.
npm install ow
import ow from 'ow';
const unicorn = input => {
ow(input, ow.string.minLength(5));
// …
};
unicorn(3);
//=> ArgumentError: Expected `input` to be of type `string` but received type `number`
unicorn('yo');
//=> ArgumentError: Expected string `input` to have a minimum length of `5`, got `yo`
We can also match the shape of an object.
import ow from 'ow';
const unicorn = {
rainbow: '🌈',
stars: {
value: '🌟'
}
};
ow(unicorn, ow.object.exactShape({
rainbow: ow.string,
stars: {
value: ow.number
}
}));
//=> ArgumentError: Expected property `stars.value` to be of type `number` but received type `string` in object `unicorn`
Note: If you intend on using ow
for development purposes only, use import ow from 'ow/dev-only'
instead of the usual import ow from 'ow'
, and run the bundler with NODE_ENV
set to production
(e.g. $ NODE_ENV="production" parcel build index.js
). This will make ow
automatically export a shim when running in production, which should result in a significantly lower bundle size.
Ow includes TypeScript type guards, so using it will narrow the type of previously-unknown values.
function (input: unknown) {
input.slice(0, 3) // Error, Property 'slice' does not exist on type 'unknown'
ow(input, ow.string)
input.slice(0, 3) // OK
}
Test if value
matches the provided predicate
. Throws an ArgumentError
if the test fails.
Test if value
matches the provided predicate
. Throws an ArgumentError
with the specified label
if the test fails.
The label
is automatically inferred in Node.js but you can override it by passing in a value for label
. The automatic label inference doesn't work in the browser.
Returns true
if the value matches the predicate, otherwise returns false
.
Create a reusable validator.
const checkPassword = ow.create(ow.string.minLength(6));
const password = 'foo';
checkPassword(password);
//=> ArgumentError: Expected string `password` to have a minimum length of `6`, got `foo`
Create a reusable validator with a specific label
.
const checkPassword = ow.create('password', ow.string.minLength(6));
checkPassword('foo');
//=> ArgumentError: Expected string `password` to have a minimum length of `6`, got `foo`
Returns a predicate that verifies if the value matches at least one of the given predicates.
ow('foo', ow.any(ow.string.maxLength(3), ow.number));
Makes the predicate optional. An optional predicate means that it doesn't fail if the value is undefined
.
ow(1, ow.optional.number);
ow(undefined, ow.optional.number);
All the below types return a predicate. Every predicate has some extra operators that you can use to test the value even more fine-grained.
undefined
null
string
number
boolean
symbol
array
function
buffer
object
regExp
date
error
promise
map
set
weakMap
weakSet
int8Array
uint8Array
uint8ClampedArray
int16Array
uint16Array
int32Array
uint32Array
float32Array
float64Array
arrayBuffer
dataView
sharedArrayBuffer
nan
nullOrUndefined
iterable
typedArray
The following predicates are available on every type.
Inverts the following predicate.
ow(1, ow.number.not.infinite);
ow('', ow.string.not.empty);
//=> ArgumentError: Expected string to not be empty, got ``
Use a custom validation function. Return true
if the value matches the validation, return false
if it doesn't.
ow(1, ow.number.is(x => x < 10));
ow(1, ow.number.is(x => x > 10));
//=> ArgumentError: Expected `1` to pass custom validation function
Instead of returning false
, you can also return a custom error message which results in a failure.
const greaterThan = (max: number, x: number) => {
return x > max || `Expected \`${x}\` to be greater than \`${max}\``;
};
ow(5, ow.number.is(x => greaterThan(10, x)));
//=> ArgumentError: Expected `5` to be greater than `10`
Use a custom validation object. The difference with is
is that the function should return a validation object, which allows more flexibility.
ow(1, ow.number.validate(value => ({
validator: value > 10,
message: `Expected value to be greater than 10, got ${value}`
})));
//=> ArgumentError: (number) Expected value to be greater than 10, got 1
You can also pass in a function as message
value which accepts the label as argument.
ow(1, 'input', ow.number.validate(value => ({
validator: value > 10,
message: label => `Expected ${label} to be greater than 10, got ${value}`
})));
//=> ArgumentError: Expected number `input` to be greater than 10, got 1
Provide a custom message:
ow('🌈', 'unicorn', ow.string.equals('🦄').message('Expected unicorn, got rainbow'));
//=> ArgumentError: Expected unicorn, got rainbow
You can also pass in a function which receives the value as the first parameter and the label as the second parameter and is expected to return the message.
ow('🌈', ow.string.minLength(5).message((value, label) => `Expected ${label}, to have a minimum length of 5, got \`${value}\``));
//=> ArgumentError: Expected string, to be have a minimum length of 5, got `🌈`
It's also possible to add a separate message per validation:
ow(
'1234',
ow.string
.minLength(5).message((value, label) => `Expected ${label}, to be have a minimum length of 5, got \`${value}\``)
.url.message('This is no url')
);
//=> ArgumentError: Expected string, to be have a minimum length of 5, got `1234`
ow(
'12345',
ow.string
.minLength(5).message((value, label) => `Expected ${label}, to be have a minimum length of 5, got \`${value}\``)
.url.message('This is no url')
);
//=> ArgumentError: This is no url
This can be useful for creating your own reusable validators which can be extracted to a separate npm package.
Requires TypeScript 4.7 or later.
Ow includes a type utility that lets you to extract a TypeScript type from the given predicate.
import ow, {Infer} from 'ow';
const userPredicate = ow.object.exactShape({
name: ow.string
});
type User = Infer<typeof userPredicate>;
FAQs
Function argument validation for humans
The npm package ow receives a total of 507,648 weekly downloads. As such, ow popularity was classified as popular.
We found that ow demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.