Research
Security News
Kill Switch Hidden in npm Packages Typosquatting Chalk and Chokidar
Socket researchers found several malicious npm packages typosquatting Chalk and Chokidar, targeting Node.js developers with kill switches and data theft.
PEG.js is a simple parser generator for JavaScript that produces fast parsers with excellent error reporting. It allows you to define a grammar in a simple syntax and then generates a parser for that grammar.
Grammar Definition
This feature allows you to define a grammar using PEG.js syntax. The example demonstrates a simple arithmetic expression parser that can handle addition and multiplication.
const peg = require('pegjs');
const grammar = `
start = expression
expression = term ('+' term)*
term = factor ('*' factor)*
factor = number / '(' expression ')'
number = [0-9]+ { return parseInt(text(), 10); }
`;
const parser = peg.generate(grammar);
const result = parser.parse('2*(3+4)');
console.log(result); // Outputs: 14
Custom Error Messages
PEG.js provides excellent error reporting. This example shows how PEG.js can generate custom error messages when the input does not conform to the defined grammar.
const peg = require('pegjs');
const grammar = `
start = expression
expression = term ('+' term)*
term = factor ('*' factor)*
factor = number / '(' expression ')'
number = [0-9]+ { return parseInt(text(), 10); }
`;
const parser = peg.generate(grammar, { output: 'source', format: 'commonjs' });
try {
parser.parse('2*(3+)');
} catch (e) {
console.log(e.message); // Outputs: Expected "(", number, or whitespace but ")" found.
}
Semantic Actions
Semantic actions allow you to specify what should happen when a rule matches. This example demonstrates how to add two numbers together when the '+' operator is encountered.
const peg = require('pegjs');
const grammar = `
start = expression
expression = left:term '+' right:term { return left + right; }
term = number
number = [0-9]+ { return parseInt(text(), 10); }
`;
const parser = peg.generate(grammar);
const result = parser.parse('3+4');
console.log(result); // Outputs: 7
Nearley is a powerful and flexible parser generator for JavaScript. It supports a wider range of grammars compared to PEG.js and can handle more complex parsing tasks. Nearley uses Earley parsing algorithm which is more powerful but can be slower than PEG.js for certain grammars.
ANTLR (Another Tool for Language Recognition) is a powerful parser generator that can be used to read, process, execute, or translate structured text or binary files. It is more feature-rich and supports multiple target languages, but it has a steeper learning curve compared to PEG.js.
Jison is a parser generator that converts a context-free grammar into a JavaScript parser. It is similar to PEG.js but uses a different parsing algorithm (LALR(1)). Jison is more suitable for traditional compiler construction tasks.
PEG.js is a simple parser generator for JavaScript that produces fast parsers with excellent error reporting. You can use it to process complex data or computer languages and build transformers, interpreters, compilers and other tools easily.
PEG.js is still very much work in progress. There are no compatibility guarantees until version 1.0
Online version is the easiest way to generate a parser. Just enter your grammar, try parsing few inputs, and download generated parser code.
To use the pegjs
command, install PEG.js globally:
$ npm install -g pegjs
To use the JavaScript API, install PEG.js locally:
$ npm install pegjs
If you need both the pegjs
command and the JavaScript API, install PEG.js both
ways.
Download the PEG.js library (regular or minified version) or install it using Bower:
$ bower install pegjs
To use the latest features, fixes and changes of PEG.js, install the packaged dev release:
$ npm install pegjs@dev
Alternatively, you can directly install from the repository (larger then the packaged dev release):
$ npm install pegjs/pegjs#master
PEG.js generates parser from a grammar that describes expected input and can specify what the parser returns (using semantic actions on matched parts of the input). Generated parser itself is a JavaScript object with a simple API.
To generate a parser from your grammar, use the pegjs
command:
$ pegjs arithmetics.pegjs
This writes parser source code into a file with the same name as the grammar file but with “.js” extension. You can also specify the output file explicitly:
$ pegjs -o arithmetics-parser.js arithmetics.pegjs
If you omit both input and output file, standard input and output are used.
By default, the generated parser is in the Node.js module format. You can
override this using the --format
option.
You can tweak the generated parser with several options:
-a
, --allowed-start-rules
— comma-separated list of rules the parser will be allowed to start parsing from (default: the first rule in the grammar)--cache
— makes the parser cache results, avoiding exponential parsing time in pathological cases but making the parser slower-d
, --dependency
— makes the parser require a specified dependency (can be specified multiple times)-e
, --export-var
— name of a global variable into which the parser object is assigned to when no module loader is detected--extra-options
— additional options (in JSON format) to pass to peg.generate
-c
, --config
, --extra-options-file
— file with additional options (in JSON format) to pass to peg.generate
-f
, --format
— format of the generated parser: amd
, bare
, commonjs
, es
, globals
, umd
(default: commonjs
)-O
, --optimize
— selects between optimizing the generated parser for parsing speed (speed
) or code size (size
) (default: speed
)-p
, --plugin
— makes PEG.js use a specified plugin (can be specified multiple times)--trace
— makes the parser trace its progressNOTE: On the command line, unless it's a repeatable option, any option on the right side will take priority over either the same option mentioned before or it's counter part:
pegjs -f es -f bare
will set options.format
to bare
pegjs --no-trace --trace
will set options.trace
to true
pegjs -a start,Rule -a Rule,Template
will set options.allowedStartRules
to [ "start", "Rule", "Template" ]
In Node.js, require the PEG.js parser generator module:
var peg = require("pegjs");
In browser, include the PEG.js library in your web page or application using the
<script>
tag. If PEG.js detects an AMD loader, it will define itself as a
module, otherwise the API will be available in the peg
global object.
To generate a parser, call the peg.generate
method and pass your grammar as a
parameter:
var parser = peg.generate("start = ('a' / 'b')+");
The method will return generated parser object or its source code as a string
(depending on the value of the output
option — see below). It will throw an
exception if the grammar is invalid. The exception will contain message
property with more details about the error.
You can tweak the generated parser by passing a second parameter with an options
object to peg.generate
. The following options are supported:
allowedStartRules
— rules the parser will be allowed to start parsing from (default: the first rule in the grammar)cache
— if true
, makes the parser cache results, avoiding exponential parsing time in pathological cases but making the parser slower (default: false
)dependencies
— parser dependencies, the value is an object which maps variables used to access the dependencies to module IDs used to load them;format
is set to "amd"
, "commonjs"
, "es"
, or "umd"
(default: {}
)exportVar
— name of an optional global variable into which the parser object is assigned to when no module loader is detected;
valid only when format
is set to "globals"
or "umd"
format
— format of the generated parser ("amd"
, "bare"
, "commonjs"
, "es"
, "globals"
, or "umd"
);
valid only when output
is set to "source"
(default: "bare"
)header
— this option is only handled if it's an array or a string:
[ string1, string2, ... ]
will add each element (all expected to be strings) as a separate line commentstring
will simply append the string (e.g. "/* eslint-disable */"
) after the Generated by ...
commentoptimize
— selects between optimizing the generated parser for parsing speed ("speed"
) or code size ("size"
) (default: "speed"
)output
— if set to "parser"
(default), the method will return generated parser object;
if set to "source"
, it will return parser source code as a stringplugins
— plugins to usetrace
— makes the parser trace its progress (default: false
)Using the generated parser is simple — just call its parse
method and pass an
input string as a parameter. The method will return a parse result (the exact
value depends on the grammar used to generate the parser) or throw an exception
if the input is invalid. The exception will contain location
, expected
,
found
, and message
properties with more details about the error.
parser.parse("abba"); // returns ["a", "b", "b", "a"]
parser.parse("abcd"); // throws an exception
You can tweak parser behavior by passing a second parameter with an options
object to the parse
method. The following options are supported:
startRule
— name of the rule to start parsing fromtracer
— tracer to useParsers can also support their own custom options.
The grammar syntax is similar to JavaScript in that it is not line-oriented and
ignores whitespace between tokens. You can also use JavaScript-style comments
(// ...
and /* ... */
).
Let's look at example grammar that recognizes simple arithmetic expressions like
2*(3+4)
. A parser generated from this grammar computes their values.
start
= additive
additive
= left:multiplicative "+" right:additive { return left + right; }
/ multiplicative
multiplicative
= left:primary "*" right:multiplicative { return left * right; }
/ primary
primary
= integer
/ "(" additive:additive ")" { return additive; }
integer "integer"
= digits:[0-9]+ { return parseInt(digits.join(""), 10); }
On the top level, the grammar consists of rules (in our example, there are
five of them). Each rule has a name (e.g. integer
) that identifies the rule,
and a parsing expression (e.g. digits:[0-9]+ { return parseInt(digits.join(""), 10); }
) that defines a pattern to match against the
input text and possibly contains some JavaScript code that determines what
happens when the pattern matches successfully. A rule can also contain
human-readable name that is used in error messages (in our example, only the
integer
rule has a human-readable name). The parsing starts at the first rule,
which is also called the start rule.
A rule name must be a JavaScript identifier. It is followed by an equality sign (“=”) and a parsing expression. If the rule has a human-readable name, it is written as a JavaScript string between the name and separating equality sign. Rules need to be separated only by whitespace (their beginning is easily recognizable), but a semicolon (“;”) after the parsing expression is allowed.
The first rule can be preceded by an initializer — a piece of JavaScript code
in curly braces (“{” and “}”). This code is executed before the generated parser
starts parsing. All variables and functions defined in the initializer are
accessible in rule actions and semantic predicates. The code inside the
initializer can access options passed to the parser using the options
variable. Curly braces in the initializer code must be balanced.
Let's look at the example grammar from above using a simple initializer.
{
function makeInteger(o) {
return parseInt(o.join(""), 10);
}
}
start
= additive
additive
= left:multiplicative "+" right:additive { return left + right; }
/ multiplicative
multiplicative
= left:primary "*" right:multiplicative { return left * right; }
/ primary
primary
= integer
/ "(" additive:additive ")" { return additive; }
integer "integer"
= digits:[0-9]+ { return makeInteger(digits); }
The parsing expressions of the rules are used to match the input text to the grammar. There are various types of expressions — matching characters or character classes, indicating optional parts and repetition, etc. Expressions can also contain references to other rules. See detailed description below.
If an expression successfully matches a part of the text when running the generated parser, it produces a match result, which is a JavaScript value. For example:
The match results propagate through the rules when the rule names are used in expressions, up to the start rule. The generated parser returns start rule's match result when parsing is successful.
One special case of parser expression is a parser action — a piece of JavaScript code inside curly braces (“{” and “}”) that takes match results of some of the the preceding expressions and returns a JavaScript value. This value is considered match result of the preceding expression (in other words, the parser action is a match result transformer).
In our arithmetics example, there are many parser actions. Consider the action
in expression digits:[0-9]+ { return parseInt(digits.join(""), 10); }
. It
takes the match result of the expression [0-9]+, which is an array of strings
containing digits, as its parameter. It joins the digits together to form a
number and converts it to a JavaScript number
object.
Appending i
right after either a literal or a a character set makes the match
case-insensitive. The rules shown in the following example all produce the same result:
a1 = "a" / "b" / "c" / "A" / "B" / "C"
a2 = "a"i / "b"i / "c"i
a3 = [a-cA-C]
a4 = [a-c]i
Unlike in regular expressions, there is no backtracking in PEG.js expressions.
For example, using the input "hi!":
// This will fail
HI = "hi" / "hi!"
// This will pass
HI = "hi!" / "hi"
// This will also pass
HI = w:"hi" !"!" { return w } / "hi!"
For more information on backtracking in PEG, checkout this excellent answer on Stack Overflow.
There are several types of parsing expressions, some of them containing subexpressions and thus forming a recursive structure:
Match exact literal string and return it. The string syntax is the same as in
JavaScript. Appending i
right after the literal makes the match
case-insensitive.
Match exactly one character and return it as a string.
Match one character from a set and return it as a string. The characters in the
list can be escaped in exactly the same way as in JavaScript string. The list of
characters can also contain ranges (e.g. [a-z]
means “all lowercase letters”).
Preceding the characters with ^
inverts the matched set (e.g. [^a-z]
means
“all character but lowercase letters”). Appending i
right after the right
bracket makes the match case-insensitive.
Match a parsing expression of a rule recursively and return its match result.
Match a subexpression and return its match result.
Match zero or more repetitions of the expression and return their match results in an array. The matching is greedy, i.e. the parser tries to match the expression as many times as possible. Unlike in regular expressions, there is no backtracking.
Match one or more repetitions of the expression and return their match results in an array. The matching is greedy, i.e. the parser tries to match the expression as many times as possible. Unlike in regular expressions, there is no backtracking.
Try to match the expression. If the match succeeds, return its match result,
otherwise return null
. Unlike in regular expressions, there is no
backtracking.
Try to match the expression. If the match succeeds, just return undefined
and
do not consume any input, otherwise consider the match failed.
Try to match the expression. If the match does not succeed, just return
undefined
and do not consume any input, otherwise consider the match failed.
This is a positive assertion. No input is consumed.
The predicate should be JavaScript code, and it's executed as a function. Curly braces in the predicate must be balanced.
The predicate should return
a boolean value. If the result is
truthy, the match result is undefined
, otherwise the match is
considered failed.
The predicate has access to all variables and functions in the Action Execution Environment.
This is a negative assertion. No input is consumed.
The predicate should be JavaScript code, and it's executed as a function. Curly braces in the predicate must be balanced.
The predicate should return
a boolean value. If the result is
falsy, the match result is undefined
, otherwise the match is
considered failed.
The predicate has access to all variables and functions in the Action Execution Environment.
Try to match the expression. If the match succeeds, return the matched text instead of the match result.
Match the expression and remember its match result under given label. The label must be a JavaScript identifier.
Labeled expressions are useful together with actions, where saved match results can be accessed by action's JavaScript code.
Match a sequence of expressions and return their match results in an array.
If the expression matches successfully, run the action, otherwise consider the match failed.
The action should be JavaScript code, and it's executed as a function. Curly braces in the action must be balanced.
The action should return
some value, which will be used as the
match result of the expression.
The action has access to all variables and functions in the Action Execution Environment.
Try to match the first expression, if it does not succeed, try the second one, etc. Return the match result of the first successfully matched expression. If no expression matches, consider the match failed.
Actions and predicates have these variables and functions available to them.
All variables and functions defined in the initializer at the beginning of the grammar are available.
Labels from preceding expressions are available as local variables, which will have the match result of the labelled expressions.
A label is only available after its labelled expression is matched:
rule = A:('a' B:'b' { /* B is available, A is not */ } )
A label in a sub-expression is only valid within the sub-expression:
rule = A:'a' (B: 'b') (C: 'b' { /* A and C are available, B is not */ })
options
is a variable that contains the parser options.
error(message, where)
will report an error and throw an
exception. where
is optional; the default is the value of
location()
.
expected(message, where)
is similar to error
, but reports
Expected message but "other" found.
location()
returns an object like this:
{
start: { offset: 23, line: 5, column: 6 },
end: { offset: 25, line: 5, column: 8 }
}
For actions, start
refers to the position at the beginning of
the preceding expression, and end
refers to the position
after the end of the preceding expression.
For predicates, start
and end
are the same, the location
where the predicate is evaluated.
offset
is a 0-based character index within the source text.
line
and column
are 1-based indices.
Note that line
and column
are somewhat expensive to
compute, so if you need location frequently, you might want to
use offset()
or range()
instead.
offset()
returns the start offset.
range()
returns an array containing the start and end
offsets, such as [23, 25]
.
text()
returns the source text between start
and end
(which will be "" for predicates).
Code fragments such as actions and predicates must have balanced curly braces, because pegjs doesn't parse the contents. It only looks at balanced braces to find the end of the code fragment.
If your code fragment needs an unbalanced brace in a string literal, you can balance it in a comment. For example:
brace = [{}] {
return text() === "{" ? 1 : -1; // } for balance
}
As described above, you can annotate your grammar rules with human-readable names that will be used in error messages. For example, this production:
integer "integer"
= digits:[0-9]+
will produce an error message like:
Expected integer but "a" found.
when parsing a non-number, referencing the human-readable name "integer." Without the human-readable name, PEG.js instead uses a description of the character class that failed to match:
Expected [0-9] but "a" found.
Aside from the text content of messages, human-readable names also have a subtler effect on where errors are reported. PEG.js prefers to match named rules completely or not at all, but not partially. Unnamed rules, on the other hand, can produce an error in the middle of their subexpressions.
For example, for this rule matching a comma-separated list of integers:
seq
= integer ("," integer)*
an input like 1,2,a
produces this error message:
Expected integer but "a" found.
But if we add a human-readable name to the seq
production:
seq "list of numbers"
= integer ("," integer)*
then PEG.js prefers an error message that implies a smaller attempted parse tree:
Expected end of input but "," found.
Both the parser generator and generated parsers should run well in the following environments:
PEG.js is currently maintained by Futago-za Ryuu. Since it's inception in 2010, PEG.js was maintained by David Majda (@dmajda), until May 2017.
The Bower package is maintained by Michel Krämer (@michelkraemer).
You are welcome to contribute code using GitHub pull requests. Unless your contribution is really trivial you should get in touch with me first (preferably by creating a new issue on the issue tracker) - this can prevent wasted effort on both sides.
Before submitting a pull request, please make sure you've checked out the Contribution Guidelines.
npm install
from the root of your clonegulp lint
or npm run lint
)It's also a good idea to check out the gulpfile.js that defines various tasks that are commented with a description of each task.
To see the list of contributors check out the repository's contributors page.
FAQs
Parser generator for JavaScript
We found that pegjs demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket researchers found several malicious npm packages typosquatting Chalk and Chokidar, targeting Node.js developers with kill switches and data theft.
Security News
pnpm 10 blocks lifecycle scripts by default to improve security, addressing supply chain attack risks but sparking debate over compatibility and workflow changes.
Product
Socket now supports uv.lock files to ensure consistent, secure dependency resolution for Python projects and enhance supply chain security.