Security News
The Hidden Blast Radius of the Axios Compromise
The Axios compromise shows how time-dependent dependency resolution makes exposure harder to detect and contain.
By Ahmad Nassri - Apr 01, 2026
New Research: Supply Chain Attack on Axios Pulls Malicious Dependency from npm.Details → →
pve-client
TypeScript-first API client for Proxmox VE.
It provides a typed API surface generated from the Proxmox spec, so endpoint paths, query/body fields, and return types are available through autocomplete.
Features
- Typed endpoint methods for Proxmox VE APIs
- Token auth and username/password login flow
- Automatic path/query/body handling
- Proxmox-style response unwrapping (
{ data: ... } -> data) - Works with Node.js fetch and supports custom HTTPS agents
Installation
npm install pve-client
Quick Start
Token Authentication (recommended)
import { Client } from "pve-client";
import { Agent } from "node:https";
const client = new Client({
baseUrl: "https://pve.example.com:8006",
apiToken: "PVEAPIToken=root@pam!mytoken=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
// only needed for self-signed certs
agent: new Agent({ rejectUnauthorized: false }),
});
const nodes = await client.api.nodes.list();
console.log(nodes);
Username/Password Authentication
import { Client } from "pve-client";
import { Agent } from "node:https";
const client = new Client({
baseUrl: "https://pve.example.com:8006",
username: "root",
password: "your-password",
realm: "pam", // optional, defaults to "pam"
agent: new Agent({ rejectUnauthorized: false }),
});
await client.login();
const nodes = await client.api.nodes.list();
console.log(nodes);
Using .env
PVE_BASE_URL=https://pve.example.com:8006
PVE_API_TOKEN=PVEAPIToken=root@pam!mytoken=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
import "dotenv/config";
import { Client } from "pve-client";
const client = new Client({
baseUrl: process.env.PVE_BASE_URL!,
apiToken: process.env.PVE_API_TOKEN!,
});
const nodes = await client.api.nodes.list();
console.log(nodes);
Common Calls
Get cluster overview and nodes
const cluster = await client.api.cluster.index();
const nodes = await client.api.nodes.list();
Path-based endpoints
const nodeStatus = await client.api.nodes.get("pve").status.get();
Endpoints with optional parameters
// no params required
const version = await client.api.version.version();
// optional query/body can still be passed
const pools = await client.api.pools.index({
$query: { type: "qemu" },
});
Request Argument Shape
Methods accept an object with optional special fields depending on endpoint:
$path: path parameters (usually handled by path helper methods like.get("node"))$query: query string parameters$body: request body (sent asapplication/x-www-form-urlencoded)$headers: additional request headers
Example:
await client.api.access.permissions({
$query: { path: "/", userid: "root@pam" },
});
Authentication Notes
apiTokenaccepts either:- full:
PVEAPIToken=user@realm!token=secret - shorthand:
user@realm!token=secret
- full:
- For username/password auth, call
await client.login()before other API calls. - For self-signed certificates, pass a custom
https.AgentwithrejectUnauthorized: false. - Some Proxmox functionalities are only accessible with username/password ticket auth (session + CSRF) and are not available to API tokens, even if token permissions are broad.
Terminal Example (Local TTY)
There is a runnable example that opens a VM terminal and binds it to your local terminal (stdin/stdout):
npm run example/terminal -- 100
Or set PVE_VMID in .env and run without CLI args:
npm run example/terminal
Example .env (username/password required for terminal helper):
PVE_BASE_URL=https://pve.example.com:8006
PVE_USERNAME=root
PVE_PASSWORD=your-password
PVE_REALM=pam
PVE_VMID=100
Controls:
Ctrl-]disconnects from the local bridge.- Terminal resize is forwarded automatically.
Live Tasks Example
There is also a terminal example that continuously displays cluster tasks:
npm run example/tasks
Optional .env values:
# required
PVE_BASE_URL=https://pve.example.com:8006
# auth: use token OR username/password
PVE_API_TOKEN=PVEAPIToken=root@pam!tokenid=secret
# or:
PVE_USERNAME=root
PVE_PASSWORD=your-password
PVE_REALM=pam
# optional polling interval (default 2000)
PVE_TASKS_POLL_INTERVAL_MS=2000
Error Handling
Non-2xx responses throw an Error including status and response text:
try {
await client.api.nodes.list();
} catch (error) {
console.error(error);
}
Development
npm run build
npm test
npm run test:coverage
npm run example/auth
npm run example/terminal -- 100
npm run example/tasks
Testing
This project uses Vitest in a Node environment.
npm testruns all testsnpm run test:coverageruns tests and generates coverage reports (text,json,html)
Current high-value suites cover:
Clientauthentication, request handling, events, and task pollingnative_fetchrequest construction, header/body behavior, and abort handlingTimerPulledEventEmitterpolling, filtering, dedupe, and error flows
License
Apache-2.0
FAQs
Proxmox Typescript API Client
We found that pve-client demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Package last updated on 25 Feb 2026
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Related posts
Research
Supply Chain Attack on Axios Pulls Malicious Dependency from npm
A supply chain attack on Axios introduced a malicious dependency, plain-crypto-js@4.2.1, published minutes earlier and absent from the project’s GitHub releases.
By Socket Research Team - Mar 31, 2026
Research
TeamPCP Compromises Telnyx Python SDK to Deliver Credential-Stealing Malware
Malicious versions of the Telnyx Python SDK on PyPI delivered credential-stealing malware via a multi-stage supply chain attack.
By Socket Research Team - Mar 27, 2026