Research
Security News
Threat Actor Exposes Playbook for Exploiting npm to Build Blockchain-Powered Botnets
A threat actor's playbook for exploiting the npm ecosystem was exposed on the dark web, detailing how to build a blockchain-powered botnet.
The tcomb npm package is a library for Node.js and the browser which allows you to check the types of JavaScript values at runtime with a simple and concise syntax. It is useful for enforcing type safety, defining domain models, and creating composable and reusable type checkers.
Type Checking
This feature allows you to define a structure with specific types and create instances that adhere to those types.
const t = require('tcomb');
const Person = t.struct({ name: t.String, age: t.Number });
const person = Person({ name: 'Giulio', age: 43 });
Function Argument Validation
This feature enables you to validate function arguments to ensure they are of the expected type.
const t = require('tcomb');
function sum(a, b) {
t.Number(a);
t.Number(b);
return a + b;
}
sum(1, 2);
Subtyping
This feature allows you to create subtypes based on existing types with additional constraints.
const t = require('tcomb');
const Positive = t.subtype(t.Number, n => n >= 0);
const positiveNumber = Positive(10);
Refinement
This feature is similar to subtyping but is specifically for refining types to a more specific subset.
const t = require('tcomb');
const Integer = t.refinement(t.Number, n => n % 1 === 0);
const integerNumber = Integer(42);
Enums
This feature allows you to define a set of constants and ensure values match one of those constants.
const t = require('tcomb');
const Role = t.enums({ Admin: 'Admin', User: 'User' });
const userRole = Role('User');
Prop-types is a library for React that is used to document the intended types of properties passed to components. It is similar to tcomb in that it provides runtime type checking, but it is specifically tailored for React's component props.
io-ts is a TypeScript runtime type system for IO decoding/encoding. It is similar to tcomb in providing runtime type checking and validation, but it leverages TypeScript's type system for added compile-time safety.
Joi is an object schema description language and validator for JavaScript objects. It provides a powerful and expressive way to define and validate data structures. It is similar to tcomb in terms of validation capabilities but has a different API and is often used for validating API input.
Ajv is a JSON schema validator. It validates data against JSON Schema standards and is similar to tcomb in terms of validation. However, it uses a JSON-based schema definition rather than a programmatic API.
"Si vis pacem, para bellum" - (Vegetius 5th century)
tcomb is a library for Node.js and the browser which allows you to check the types of JavaScript values at runtime with a simple and concise syntax. It's great for Domain Driven Design and for adding safety to your internal code.
You may want to check out io-ts
tcomb is supposed to be used in development and is disabled in production. If you want type checks in production you may use
npm install tcomb --save
Code example
A type-checked function:
import t from 'tcomb';
function sum(a, b) {
t.Number(a);
t.Number(b);
return a + b;
}
sum(1, 's'); // throws '[tcomb] Invalid value "s" supplied to Number'
// using babel-plugin-tcomb
function sum(a: number, b: number) {
return a + b;
}
A user defined type:
const Integer = t.refinement(t.Number, (n) => n % 1 === 0, 'Integer');
A type-checked class:
const Person = t.struct({
name: t.String, // required string
surname: t.maybe(t.String), // optional string
age: t.Integer, // required integer
tags: t.list(t.String) // a list of strings
}, 'Person');
// methods are defined as usual
Person.prototype.getFullName = function () {
return `${this.name} ${this.surname}`;
};
const person = Person({
surname: 'Canti'
}); // throws '[tcomb] Invalid value undefined supplied to Person/name: String'
Chrome DevTools:
Lightweight
3KB gzipped, no dependencies.
Type safety
All models defined with tcomb
are type-checked.
Note. Instances are not boxed, this means that tcomb
works great with lodash, Ramda, etc. And you can of course use them as props to React components.
Based on set theory
Domain Driven Design
Write complex domain models in a breeze and with a small code footprint. Supported types / combinators:
Immutability and immutability helpers
Instances are immutable using Object.freeze
. This means you can use standard JavaScript objects and arrays. You don't have to change how you normally code. You can update an immutable instance with the provided update(instance, spec)
function:
const person2 = Person.update(person, {
name: { $set: 'Guido' }
});
where spec
is an object containing commands. The following commands are compatible with the Facebook Immutability Helpers:
$push
$unshift
$splice
$set
$apply
$merge
See Updating immutable instances for details.
Speed
Object.freeze
calls and asserts are executed only in development and stripped out in production (using process.env.NODE_ENV !== 'production'
tests).
Runtime type introspection
All models are inspectable at runtime. You can read and reuse the information stored in your types (in the meta
static member). See The meta object in the docs for details.
Libraries exploiting tcomb's RTI:
Easy JSON serialization / deserialization
Encodes / decodes your domain models to / from JSON for free.
Debugging with Chrome DevTools
You can customize the behavior when an assert fails leveraging the power of Chrome DevTools.
// use the default...
t.fail = function fail(message) {
throw new TypeError('[tcomb] ' + message); // set "Pause on exceptions" on the "Sources" panel for a great DX
};
// .. or define your own behavior
t.fail = function fail(message) {
console.error(message);
};
Pattern matching
const result = t.match(1,
t.String, () => 'a string',
t.Number, () => 'a number'
);
console.log(result); // => 'a number'
Babel plugin
Using babel-plugin-tcomb you can also write (Flow compatible) type annotations:
function sum(a: number, b: number): number {
return a + b;
}
TypeScript definition file
func
combinator ideas and documentationdeclare
combinatorgit clone git@github.com:gcanti/tcomb.git
cd tcomb
npm install
npm run dist
Will output 2 files:
dist/tcomb.js
(development)dist/tcomb.min.js
(production) Object.freeze
calls and asserts stripped outThe MIT License (MIT)
v3.2.29
interface
's extend
signature, #329 (@apepper)FAQs
Type checking and DDD for JavaScript
The npm package tcomb receives a total of 1,196,391 weekly downloads. As such, tcomb popularity was classified as popular.
We found that tcomb demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
A threat actor's playbook for exploiting the npm ecosystem was exposed on the dark web, detailing how to build a blockchain-powered botnet.
Security News
NVD’s backlog surpasses 20,000 CVEs as analysis slows and NIST announces new system updates to address ongoing delays.
Security News
Research
A malicious npm package disguised as a WhatsApp client is exploiting authentication flows with a remote kill switch to exfiltrate data and destroy files.