Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
The tiny-glob npm package is a minimalistic file globbing library. It is designed to be small and efficient, providing functionality to match file paths against specified patterns known as 'globs'. This package is particularly useful in environments where minimal overhead and fast execution are critical, such as in build tools and scripts.
File Globbing
This feature allows you to match files in a directory against a glob pattern. The example shows how to find all JavaScript files in the 'src' directory and its subdirectories.
const tg = require('tiny-glob');
async function getFiles() {
const files = await tg('**/*.js', { cwd: 'src' });
console.log(files);
}
getFiles();
The 'glob' package is one of the most popular globbing libraries on npm. It offers a rich set of features and options but is larger in size compared to tiny-glob. It supports advanced pattern matching and filtering options.
Similar to tiny-glob, 'fast-glob' is designed for performance and efficiency. It provides a similar API but includes additional features such as the ability to ignore files, stream files, and more detailed statistics about the matching process. It is a good alternative when additional features are needed without a significant compromise on performance.
Tiny and extremely fast library to match files and folders using glob patterns.
"Globs" is the common name for a specific type of pattern used to match files and folders. It's the patterns you type when you do stuff like ls *.js
in your shell or put src/*
in a .gitignore
file. When used to match filenames, it's sometimes called a "wildcard".
npm install tiny-glob
ExtGlob
)const glob = require('tiny-glob');
(async function(){
let files = await glob('src/*/*.{js,md}');
// => [ ... ] array of matching files
})();
Type: function
Returns: Array
Return array of matching files and folders
This function is async
and returns a promise.
Type: String
The glob pattern to match against.
OBS: Please only use forward-slashes in glob expressions. Even on windows
Type: String
Default: '.'
Change default working directory.
Type: Boolean
Default: false
Allow patterns to match filenames or directories that begin with a period (.
).
Type: Boolean
Default: false
Return matches as absolute paths.
Type: Boolean
Default: false
Skip directories and return matched files only.
Type: Boolean
Default: false
Flush the internal cache object.
Though Windows may use /
, \
, or \\
as path separators, you can only use forward-slashes (/
) when specifying glob expressions. Any back-slashes (\
) will be interpreted as escape characters instead of path separators.
This is common across many glob-based modules; see node-glob
for corroboration.
glob x 13,405 ops/sec ±1.80% (85 runs sampled)
fast-glob x 25,745 ops/sec ±2.76% (59 runs sampled)
tiny-glob x 102,658 ops/sec ±0.79% (91 runs sampled)
Fastest is tiny-glob
┌───────────┬─────────────────────────┬─────────────┬────────────────┐
│ Name │ Mean time │ Ops/sec │ Diff │
├───────────┼─────────────────────────┼─────────────┼────────────────┤
│ glob │ 0.00007459990597268128 │ 13,404.843 │ N/A │
├───────────┼─────────────────────────┼─────────────┼────────────────┤
│ fast-glob │ 0.000038842529587611705 │ 25,744.976 │ 92.06% faster │
├───────────┼─────────────────────────┼─────────────┼────────────────┤
│ tiny-glob │ 0.00000974110141018254 │ 102,657.796 │ 298.75% faster │
└───────────┴─────────────────────────┴─────────────┴────────────────┘
Learn more about advanced globbing
MIT © Terkel Gjervig
FAQs
Tiny and extremely fast globbing
The npm package tiny-glob receives a total of 1,191,642 weekly downloads. As such, tiny-glob popularity was classified as popular.
We found that tiny-glob demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.