Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
The npm package 'redis' is a Node.js client for Redis, a fast, open-source, in-memory key-value data store for use as a database, cache, message broker, and queue. The package allows Node.js applications to interact with Redis servers using an asynchronous, event-driven model.
Connecting to Redis
This code sample demonstrates how to connect to a Redis server using the redis npm package. It requires the package, creates a client, and listens for the 'connect' event to confirm the connection.
const redis = require('redis');
const client = redis.createClient();
client.on('connect', function() {
console.log('Connected to Redis');
});
Setting and Getting Data
This code sample shows how to set a key-value pair in Redis and then retrieve the value associated with a key. The 'redis.print' callback is used to output the result of the 'set' operation.
client.set('key', 'value', redis.print);
client.get('key', function(err, reply) {
console.log(reply); // prints 'value'
});
Working with Lists
This code sample illustrates how to work with Redis lists by pushing values to the end of a list and then retrieving the entire list.
client.rpush(['list', 'value1', 'value2'], redis.print);
client.lrange('list', 0, -1, function(err, reply) {
console.log(reply); // prints ['value1', 'value2']
});
Publish/Subscribe
This code sample demonstrates the publish/subscribe capabilities of Redis. It creates a subscriber client that listens for messages on a channel and a publisher client that publishes a message to that channel.
const subscriber = redis.createClient();
const publisher = redis.createClient();
subscriber.on('message', function(channel, message) {
console.log('Message: ' + message + ' on channel: ' + channel);
});
subscriber.subscribe('notification');
publisher.publish('notification', 'Hello, World!');
Transactions
This code sample shows how to use Redis transactions to execute multiple commands atomically using the 'multi' and 'exec' methods.
client.multi()
.set('key', 'value')
.incr('counter')
.exec(function(err, replies) {
console.log(replies); // prints results of all commands
});
ioredis is a robust, performance-focused, and full-featured Redis client for Node.js. It supports Redis Cluster, Sentinel, pipelining, Lua scripting, and more. Compared to the 'redis' package, ioredis offers a more modern interface with Promises support and better performance for certain operations.
node-redis is another Redis client for Node.js that is designed to be easy to use. It may not have as many features as 'redis' or 'ioredis', but it provides a straightforward way to interact with Redis servers for simple use cases.
redis-mock is a library that simulates a Redis server for testing purposes. It implements most of the Redis commands and can be used as a drop-in replacement for the 'redis' package during testing, without the need for an actual Redis server.
node-redis is a modern, high performance Redis client for Node.js.
Learn for free at Redis University
Build faster with the Redis Launchpad
Name | Description |
---|---|
redis | |
@redis/client | |
@redis/bloom | Redis Bloom commands |
@redis/graph | Redis Graph commands |
@redis/json | Redis JSON commands |
@redis/search | RediSearch commands |
@redis/time-series | Redis Time-Series commands |
:warning: In version 4.1.0 we moved our subpackages from
@node-redis
to@redis
. If you're just usingnpm install redis
, you don't need to do anything—it'll upgrade automatically. If you're using the subpackages directly, you'll need to point to the new scope (e.g.@redis/client
instead of@node-redis/client
).
Start a redis via docker:
docker run -p 6379:6379 -it redis/redis-stack-server:latest
To install node-redis, simply:
npm install redis
:warning: The new interface is clean and cool, but if you have an existing codebase, you'll want to read the migration guide.
Looking for a high-level library to handle object mapping? See redis-om-node!
import { createClient } from 'redis';
const client = await createClient()
.on('error', err => console.log('Redis Client Error', err))
.connect();
await client.set('key', 'value');
const value = await client.get('key');
await client.disconnect();
The above code connects to localhost on port 6379. To connect to a different host or port, use a connection string in the format redis[s]://[[username][:password]@][host][:port][/db-number]
:
createClient({
url: 'redis://alice:foobared@awesome.redis.server:6380'
});
You can also use discrete parameters, UNIX sockets, and even TLS to connect. Details can be found in the client configuration guide.
To check if the the client is connected and ready to send commands, use client.isReady
which returns a boolean. client.isOpen
is also available. This returns true
when the client's underlying socket is open, and false
when it isn't (for example when the client is still connecting or reconnecting after a network error).
There is built-in support for all of the out-of-the-box Redis commands. They are exposed using the raw Redis command names (HSET
, HGETALL
, etc.) and a friendlier camel-cased version (hSet
, hGetAll
, etc.):
// raw Redis commands
await client.HSET('key', 'field', 'value');
await client.HGETALL('key');
// friendly JavaScript commands
await client.hSet('key', 'field', 'value');
await client.hGetAll('key');
Modifiers to commands are specified using a JavaScript object:
await client.set('key', 'value', {
EX: 10,
NX: true
});
Replies will be transformed into useful data structures:
await client.hGetAll('key'); // { field1: 'value1', field2: 'value2' }
await client.hVals('key'); // ['value1', 'value2']
Buffer
s are supported as well:
await client.hSet('key', 'field', Buffer.from('value')); // 'OK'
await client.hGetAll(
commandOptions({ returnBuffers: true }),
'key'
); // { field: <Buffer 76 61 6c 75 65> }
If you want to run commands and/or use arguments that Node Redis doesn't know about (yet!) use .sendCommand()
:
await client.sendCommand(['SET', 'key', 'value', 'NX']); // 'OK'
await client.sendCommand(['HGETALL', 'key']); // ['key1', 'field1', 'key2', 'field2']
Start a transaction by calling .multi()
, then chaining your commands. When you're done, call .exec()
and you'll get an array back with your results:
await client.set('another-key', 'another-value');
const [setKeyReply, otherKeyValue] = await client
.multi()
.set('key', 'value')
.get('another-key')
.exec(); // ['OK', 'another-value']
You can also watch keys by calling .watch()
. Your transaction will abort if any of the watched keys change.
To dig deeper into transactions, check out the Isolated Execution Guide.
Any command can be run on a new connection by specifying the isolated
option. The newly created connection is closed when the command's Promise
is fulfilled.
This pattern works especially well for blocking commands—such as BLPOP
and BLMOVE
:
import { commandOptions } from 'redis';
const blPopPromise = client.blPop(
commandOptions({ isolated: true }),
'key',
0
);
await client.lPush('key', ['1', '2']);
await blPopPromise; // '2'
To learn more about isolated execution, check out the guide.
See the Pub/Sub overview.
SCAN
results can be looped over using async iterators:
for await (const key of client.scanIterator()) {
// use the key!
await client.get(key);
}
This works with HSCAN
, SSCAN
, and ZSCAN
too:
for await (const { field, value } of client.hScanIterator('hash')) {}
for await (const member of client.sScanIterator('set')) {}
for await (const { score, value } of client.zScanIterator('sorted-set')) {}
You can override the default options by providing a configuration object:
client.scanIterator({
TYPE: 'string', // `SCAN` only
MATCH: 'patter*',
COUNT: 100
});
Redis provides a programming interface allowing code execution on the redis server.
The following example retrieves a key in redis, returning the value of the key, incremented by an integer. For example, if your key foo has the value 17 and we run add('foo', 25)
, it returns the answer to Life, the Universe and Everything.
#!lua name=library
redis.register_function {
function_name = 'add',
callback = function(keys, args) return redis.call('GET', keys[1]) + args[1] end,
flags = { 'no-writes' }
}
Here is the same example, but in a format that can be pasted into the redis-cli
.
FUNCTION LOAD "#!lua name=library\nredis.register_function{function_name=\"add\", callback=function(keys, args) return redis.call('GET', keys[1])+args[1] end, flags={\"no-writes\"}}"
Load the prior redis function on the redis server before running the example below.
import { createClient } from 'redis';
const client = createClient({
functions: {
library: {
add: {
NUMBER_OF_KEYS: 1,
transformArguments(key: string, toAdd: number): Array<string> {
return [key, toAdd.toString()];
},
transformReply(reply: number): number {
return reply;
}
}
}
}
});
await client.connect();
await client.set('key', '1');
await client.library.add('key', 2); // 3
The following is an end-to-end example of the prior concept.
import { createClient, defineScript } from 'redis';
const client = createClient({
scripts: {
add: defineScript({
NUMBER_OF_KEYS: 1,
SCRIPT:
'return redis.call("GET", KEYS[1]) + ARGV[1];',
transformArguments(key: string, toAdd: number): Array<string> {
return [key, toAdd.toString()];
},
transformReply(reply: number): number {
return reply;
}
})
}
});
await client.connect();
await client.set('key', '1');
await client.add('key', 2); // 3
There are two functions that disconnect a client from the Redis server. In most scenarios you should use .quit()
to ensure that pending commands are sent to Redis before closing a connection.
.QUIT()
/.quit()
Gracefully close a client's connection to Redis, by sending the QUIT
command to the server. Before quitting, the client executes any remaining commands in its queue, and will receive replies from Redis for each of them.
const [ping, get, quit] = await Promise.all([
client.ping(),
client.get('key'),
client.quit()
]); // ['PONG', null, 'OK']
try {
await client.get('key');
} catch (err) {
// ClosedClient Error
}
.disconnect()
Forcibly close a client's connection to Redis immediately. Calling disconnect
will not send further pending commands to the Redis server, or wait for or parse outstanding responses.
await client.disconnect();
Node Redis will automatically pipeline requests that are made during the same "tick".
client.set('Tm9kZSBSZWRpcw==', 'users:1');
client.sAdd('users:1:tokens', 'Tm9kZSBSZWRpcw==');
Of course, if you don't do something with your Promises you're certain to get unhandled Promise exceptions. To take advantage of auto-pipelining and handle your Promises, use Promise.all()
.
await Promise.all([
client.set('Tm9kZSBSZWRpcw==', 'users:1'),
client.sAdd('users:1:tokens', 'Tm9kZSBSZWRpcw==')
]);
Check out the Clustering Guide when using Node Redis to connect to a Redis Cluster.
The Node Redis client class is an Nodejs EventEmitter and it emits an event each time the network status changes:
Name | When | Listener arguments |
---|---|---|
connect | Initiating a connection to the server | No arguments |
ready | Client is ready to use | No arguments |
end | Connection has been closed (via .quit() or .disconnect() ) | No arguments |
error | An error has occurred—usually a network issue such as "Socket closed unexpectedly" | (error: Error) |
reconnecting | Client is trying to reconnect to the server | No arguments |
sharded-channel-moved | See here | See here |
:warning: You MUST listen to
error
events. If a client doesn't have at least oneerror
listener registered and anerror
occurs, that error will be thrown and the Node.js process will exit. See theEventEmitter
docs for more details.
The client will not emit any other events beyond those listed above.
Node Redis is supported with the following versions of Redis:
Version | Supported |
---|---|
7.0.z | :heavy_check_mark: |
6.2.z | :heavy_check_mark: |
6.0.z | :heavy_check_mark: |
5.0.z | :heavy_check_mark: |
< 5.0 | :x: |
Node Redis should work with older versions of Redis, but it is not fully tested and we cannot offer support.
If you'd like to contribute, check out the contributing guide.
Thank you to all the people who already contributed to Node Redis!
This repository is licensed under the "MIT" license. See LICENSE.
FAQs
A modern, high performance Redis client
The npm package redis receives a total of 2,759,675 weekly downloads. As such, redis popularity was classified as popular.
We found that redis demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 4 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.