Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
sc-istanbul
Advanced tools
Deprecation Notice: this version of istanbul is deprecated, we will not be landing pull requests or releasing new versions. But don't worry, the Istanbul 2.0 API is now available and is being actively developed in the new istanbuljs organization.
New v0.4.0
now has beautiful HTML reports. Props to Tom MacWright @tmcw for a fantastic job!
esprima
parser and the equally awesome escodegen
code generatorSupports the following use cases and more
$ npm install -g istanbul
The best way to see it in action is to run node unit tests. Say you have a test
script test.js
that runs all tests for your node project without coverage.
Simply:
$ cd /path/to/your/source/root
$ istanbul cover test.js
and this should produce a coverage.json
, lcov.info
and lcov-report/*html
under ./coverage
Sample of code coverage reports produced by this tool (for this tool!):
Istanbul assumes that the command
passed to it is a JS file (e.g. Jasmine, vows etc.),
this is however not true on Windows where npm wrap bin files in a .cmd
file.
Since Istanbul can not parse .cmd
files you need to reference the bin file manually.
Here is an example using Jasmine 2:
istanbul cover node_modules\jasmine\bin\jasmine.js
In order to use this cross platform (e.i. Linux, Mac and Windows), you can insert the above line into the script object in your package.json file but with normal slash.
"scripts": {
"test": "istanbul cover node_modules/jasmine/bin/jasmine.js"
}
Drop a .istanbul.yml
file at the top of the source tree to configure istanbul.
istanbul help config
tells you more about the config file format.
$ istanbul help
gives you detailed help on all commands.
Usage: istanbul help config | <command>
`config` provides help with istanbul configuration
Available commands are:
check-coverage
checks overall/per-file coverage against thresholds from coverage
JSON files. Exits 1 if thresholds are not met, 0 otherwise
cover transparently adds coverage information to a node command. Saves
coverage.json and reports at the end of execution
help shows help
instrument
instruments a file or a directory tree and writes the
instrumented code to the desired output location
report writes reports for coverage JSON objects produced in a previous
run
test cover a node command only when npm_config_coverage is set. Use in
an `npm test` script for conditional coverage
Command names can be abbreviated as long as the abbreviation is unambiguous
To get detailed help for a command and what command-line options it supports, run:
istanbul help <command>
(Most of the command line options are not covered in this document.)
cover
command$ istanbul cover my-test-script.js -- my test args
# note the -- between the command name and the arguments to be passed
The cover
command can be used to get a coverage object and reports for any arbitrary
node script. By default, coverage information is written under ./coverage
- this
can be changed using command-line options.
The cover
command can also be passed an optional --handle-sigint
flag to
enable writing reports when a user triggers a manual SIGINT of the process that is
being covered. This can be useful when you are generating coverage for a long lived process.
test
commandThe test
command has almost the same behavior as the cover
command, except that
it skips coverage unless the npm_config_coverage
environment variable is set.
This command is deprecated since the latest versions of npm do not seem to
set the npm_config_coverage
variable.
instrument
commandInstruments a single JS file or an entire directory tree and produces an output directory tree with instrumented code. This should not be required for running node unit tests but is useful for tests to be run on the browser.
report
commandWrites reports using coverage*.json
files as the source of coverage information.
Reports are available in multiple formats and can be individually configured
using the istanbul config file. See istanbul help report
for more details.
check-coverage
commandChecks the coverage of statements, functions, branches, and lines against the provided thresholds. Positive thresholds are taken to be the minimum percentage required and negative numbers are taken to be the number of uncovered entities allowed.
if
or else
path with /* istanbul ignore if */
or /* istanbul ignore else */
respectively./* istanbul ignore next */
See ignoring-code-for-coverage.md for the spec.
All the features of istanbul can be accessed as a library.
var istanbul = require('istanbul');
var instrumenter = new istanbul.Instrumenter();
var generatedCode = instrumenter.instrumentSync('function meaningOfLife() { return 42; }',
'filename.js');
var istanbul = require('istanbul'),
collector = new istanbul.Collector(),
reporter = new istanbul.Reporter(),
sync = false;
collector.add(obj1);
collector.add(obj2); //etc.
reporter.add('text');
reporter.addAll([ 'lcov', 'clover' ]);
reporter.write(collector, sync, function () {
console.log('All reports generated');
});
For the gory details consult the public API
Istanbul can be used in a multiple process environment by running each process with Istanbul, writing a unique coverage file for each process, and combining the results when generating reports. The method used to perform this will depend on the process forking API used. For example when using the cluster module you must setup the master to start child processes with Istanbul coverage, disable reporting, and output coverage files that include the PID in the filename. Before each run you may need to clear out the coverage data directory.
if(cluster.isMaster) {
// setup cluster if running with istanbul coverage
if(process.env.running_under_istanbul) {
// use coverage for forked process
// disabled reporting and output for child process
// enable pid in child process coverage filename
cluster.setupMaster({
exec: './node_modules/.bin/istanbul',
args: [
'cover', '--report', 'none', '--print', 'none', '--include-pid',
process.argv[1], '--'].concat(process.argv.slice(2))
});
}
// ...
// ... cluster.fork();
// ...
} else {
// ... worker code
}
For details on the format of the coverage.json object, see here.
istanbul is licensed under the BSD License.
The following third-party libraries are used by this module:
cover
commandlib/vendor/
cover
command, modeled after the run
command in that tool. The coverage methodology used by istanbul is quite different, howeverSince all the good ones are taken. Comes from the loose association of ideas across coverage, carpet-area coverage, the country that makes good carpets and so on...
FAQs
Istanbul V0 used by solidity-coverage for its report-api
The npm package sc-istanbul receives a total of 72,579 weekly downloads. As such, sc-istanbul popularity was classified as popular.
We found that sc-istanbul demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.