Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
The sprintf-js package is a JavaScript implementation of the sprintf function, which is originally from the C programming language. It provides string formatting capabilities, allowing users to format strings with placeholders that are replaced by specified values in a controlled manner.
sprintf
The sprintf function allows you to format a string with placeholders, such as %s for strings, %d for integers, and many others. The placeholders are replaced by the provided arguments in order.
const sprintf = require('sprintf-js').sprintf;
const formattedString = sprintf('Hello, %s!', 'World');
vsprintf
The vsprintf function is similar to sprintf but takes an array of arguments instead of a variable number of arguments, which can be useful when the number of values to substitute is dynamic or not known in advance.
const vsprintf = require('sprintf-js').vsprintf;
const formattedString = vsprintf('There are %d %s', [3, 'apples']);
The util package is a core Node.js module that includes a format method similar to sprintf. It is less feature-rich compared to sprintf-js and does not support all the placeholder types that sprintf-js does.
The printf package offers similar functionality to sprintf-js with a focus on being lightweight. It provides a subset of the formatting options available in sprintf-js and is designed to be a minimalistic alternative.
sprintf-js is a complete open source JavaScript sprintf
implementation for the browser and Node.js.
Note: as of v1.1.1 you might need some polyfills for older environments. See Support section below.
var sprintf = require('sprintf-js').sprintf,
vsprintf = require('sprintf-js').vsprintf
sprintf('%2$s %3$s a %1$s', 'cracker', 'Polly', 'wants')
vsprintf('The first 4 letters of the english alphabet are: %s, %s, %s and %s', ['a', 'b', 'c', 'd'])
npm install sprintf-js
bower install sprintf
sprintf
Returns a formatted string:
string sprintf(string format, mixed arg1?, mixed arg2?, ...)
vsprintf
Same as sprintf
except it takes an array of arguments, rather than a variable number of arguments:
string vsprintf(string format, array arguments?)
The placeholders in the format string are marked by %
and are followed by one or more of these elements, in this order:
$
sign that selects which argument index to use for the value. If not specified, arguments will be placed in the same order as the placeholders in the input string.+
sign that forces to precede the result with a plus or minus sign on numeric values. By default, only the -
sign is used on negative numbers.0
or any other character preceded by a '
(single quote). The default is to pad with spaces.-
sign, that causes sprintf
to left-align the result of this placeholder. The default is to right-align the result.j
(JSON) type specifier, the padding length specifies the tab size used for indentation..
(dot) followed by a number, that says how many digits should be displayed for floating point numbers. When used with the g
type specifier, it specifies the number of significant digits. When used on a string, it causes the result to be truncated.%
— yields a literal %
characterb
— yields an integer as a binary numberc
— yields an integer as the character with that ASCII valued
or i
— yields an integer as a signed decimal numbere
— yields a float using scientific notationu
— yields an integer as an unsigned decimal numberf
— yields a float as is; see notes on precision aboveg
— yields a float as is; see notes on precision aboveo
— yields an integer as an octal numbers
— yields a string as ist
— yields true
or false
T
— yields the type of the argument1v
— yields the primitive value of the specified argumentx
— yields an integer as a hexadecimal number (lower-case)X
— yields an integer as a hexadecimal number (upper-case)j
— yields a JavaScript object or array as a JSON encoded stringYou can also swap the arguments. That is, the order of the placeholders doesn't have to match the order of the arguments. You can do that by simply indicating in the format string which arguments the placeholders refer to:
sprintf('%2$s %3$s a %1$s', 'cracker', 'Polly', 'wants')
And, of course, you can repeat the placeholders without having to increase the number of arguments.
Format strings may contain replacement fields rather than positional placeholders. Instead of referring to a certain argument, you can now refer to a certain key within an object. Replacement fields are surrounded by rounded parentheses - (
and )
- and begin with a keyword that refers to a key:
var user = {
name: 'Dolly',
}
sprintf('Hello %(name)s', user) // Hello Dolly
Keywords in replacement fields can be optionally followed by any number of keywords or indexes:
var users = [
{name: 'Dolly'},
{name: 'Molly'},
{name: 'Polly'},
]
sprintf('Hello %(users[0].name)s, %(users[1].name)s and %(users[2].name)s', {users: users}) // Hello Dolly, Molly and Polly
Note: mixing positional and named placeholders is not (yet) supported
You can pass in a function as a dynamic value and it will be invoked (with no arguments) in order to compute the value on the fly.
sprintf('Current date and time: %s', function() { return new Date().toString() })
You can use sprintf
and vsprintf
(also aliased as fmt
and vfmt
respectively) in your AngularJS projects. See demo/
.
sprintf-js
runs in all active Node versions (4.x+).
sprintf-js
should work in all modern browsers. As of v1.1.1, you might need polyfills for the following:
String.prototype.repeat()
(any IE)Array.isArray()
(IE < 9)Object.create()
(IE < 9)YMMV
sprintf-js is licensed under the terms of the BSD 3-Clause License.
1 sprintf
doesn't use the typeof
operator. As such, the value null
is a null
, an array is an array
(not an object
), a date value is a date
etc.
1.1.3
FAQs
JavaScript sprintf implementation
The npm package sprintf-js receives a total of 57,043,742 weekly downloads. As such, sprintf-js popularity was classified as popular.
We found that sprintf-js demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.