Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
The tmp npm package is used for creating temporary files and directories in a Node.js environment. It helps manage and clean up temporary files automatically.
Temporary File Creation
This feature allows you to create a temporary file. The library provides a callback with the path and file descriptor, and a cleanup callback to remove the file when it's no longer needed.
const tmp = require('tmp');
tmp.file(function _tempFileCreated(err, path, fd, cleanupCallback) {
if (err) throw err;
console.log('File: ', path);
console.log('Filedescriptor: ', fd);
// If we don't need the file anymore we could manually call the cleanupCallback
// But that is not necessary if we didn't pass the keep option because the library will clean after itself.
cleanupCallback();
});
Temporary Directory Creation
This feature allows you to create a temporary directory. Similar to temporary file creation, it provides a path to the directory and a cleanup callback.
const tmp = require('tmp');
tmp.dir(function _tempDirCreated(err, path, cleanupCallback) {
if (err) throw err;
console.log('Dir: ', path);
// Manual cleanup
cleanupCallback();
});
Synchronous File Creation
This feature allows for synchronous creation of a temporary file name. It returns the name directly without the need for a callback.
const tmp = require('tmp');
const name = tmp.tmpNameSync();
console.log('Temporary filename: ', name);
Synchronous Directory Creation
This feature allows for synchronous creation of a temporary directory. It returns an object with the directory name.
const tmp = require('tmp');
const dir = tmp.dirSync();
console.log('Temporary directory: ', dir.name);
The 'temp' package is similar to 'tmp' and is also used for managing temporary files and directories. It provides automatic cleanup and tracking of temporary files, but it has not been updated as frequently as 'tmp'.
The 'tempfile' package is a simpler alternative to 'tmp' that focuses on generating temporary file paths. It does not handle the creation or cleanup of the files.
The 'temp-dir' package provides the path to the system's default directory for temporary files, rather than creating temporary files or directories itself.
The 'mktemp' package creates temporary files and directories in a way similar to the Unix command of the same name. It offers a lower-level API compared to 'tmp' and requires manual cleanup.
A simple temporary file and directory creator for node.js.
This is a widely used library to create temporary files and directories in a node.js environment.
Tmp offers both an asynchronous and a synchronous API. For all API calls, all the parameters are optional. There also exists a promisified version of the API, see tmp-promise.
Tmp uses crypto for determining random file names, or, when using templates, a six letter random identifier. And just in case that you do not have that much entropy left on your system, Tmp will fall back to pseudo random numbers.
You can set whether you want to remove the temporary file on process exit or not.
If you do not want to store your temporary directories and files in the standard OS temporary directory, then you are free to override that as well.
All breaking changes that had been introduced, i.e.
have been reverted in v0.2.2 and tmp should now behave as it did before the introduction of these breaking changes.
Other breaking changes, i.e.
are still in place.
In order to override the system's tmpdir, you will have to use the newly introduced tmpdir option.
See the CHANGELOG for more information.
Since version 0.2.2, all support for node version <= 14 has been dropped.
Since version 0.1.0, all support for node versions < 0.10.0 has been dropped.
Most importantly, any support for earlier versions of node-tmp was also dropped.
If you still require node versions < 0.10.0, then you must limit your node-tmp dependency to versions below 0.1.0.
Since version 0.0.33, all support for node versions < 0.8 has been dropped.
If you still require node version 0.8, then you must limit your node-tmp dependency to version 0.0.33.
For node versions < 0.8 you must limit your node-tmp dependency to versions < 0.0.33.
npm install tmp
Please also check API docs.
If graceful cleanup is set, tmp will remove all controlled temporary objects on process exit, otherwise the temporary objects will remain in place, waiting to be cleaned up on system restart or otherwise scheduled temporary object removal.
To enforce this, you can call the setGracefulCleanup()
method:
const tmp = require('tmp');
tmp.setGracefulCleanup();
Simple temporary file creation, the file will be closed and unlinked on process exit.
const tmp = require('tmp');
tmp.file(function _tempFileCreated(err, path, fd, cleanupCallback) {
if (err) throw err;
console.log('File: ', path);
console.log('Filedescriptor: ', fd);
// If we don't need the file anymore we could manually call the cleanupCallback
// But that is not necessary if we didn't pass the keep option because the library
// will clean after itself.
cleanupCallback();
});
A synchronous version of the above.
const tmp = require('tmp');
const tmpobj = tmp.fileSync();
console.log('File: ', tmpobj.name);
console.log('Filedescriptor: ', tmpobj.fd);
// If we don't need the file anymore we could manually call the removeCallback
// But that is not necessary if we didn't pass the keep option because the library
// will clean after itself.
tmpobj.removeCallback();
Note that this might throw an exception if either the maximum limit of retries for creating a temporary name fails, or, in case that you do not have the permission to write to the directory where the temporary file should be created in.
Simple temporary directory creation, it will be removed on process exit.
If the directory still contains items on process exit, then it won't be removed.
const tmp = require('tmp');
tmp.dir(function _tempDirCreated(err, path, cleanupCallback) {
if (err) throw err;
console.log('Dir: ', path);
// Manual cleanup
cleanupCallback();
});
If you want to cleanup the directory even when there are entries in it, then
you can pass the unsafeCleanup
option when creating it.
A synchronous version of the above.
const tmp = require('tmp');
const tmpobj = tmp.dirSync();
console.log('Dir: ', tmpobj.name);
// Manual cleanup
tmpobj.removeCallback();
Note that this might throw an exception if either the maximum limit of retries for creating a temporary name fails, or, in case that you do not have the permission to write to the directory where the temporary directory should be created in.
It is possible with this library to generate a unique filename in the specified directory.
const tmp = require('tmp');
tmp.tmpName(function _tempNameGenerated(err, path) {
if (err) throw err;
console.log('Created temporary filename: ', path);
});
A synchronous version of the above.
const tmp = require('tmp');
const name = tmp.tmpNameSync();
console.log('Created temporary filename: ', name);
Creates a file with mode 0644
, prefix will be prefix-
and postfix will be .txt
.
const tmp = require('tmp');
tmp.file({ mode: 0o644, prefix: 'prefix-', postfix: '.txt' }, function _tempFileCreated(err, path, fd) {
if (err) throw err;
console.log('File: ', path);
console.log('Filedescriptor: ', fd);
});
A synchronous version of the above.
const tmp = require('tmp');
const tmpobj = tmp.fileSync({ mode: 0o644, prefix: 'prefix-', postfix: '.txt' });
console.log('File: ', tmpobj.name);
console.log('Filedescriptor: ', tmpobj.fd);
As a side effect of creating a unique file tmp
gets a file descriptor that is
returned to the user as the fd
parameter. The descriptor may be used by the
application and is closed when the removeCallback
is invoked.
In some use cases the application does not need the descriptor, needs to close it without removing the file, or needs to remove the file without closing the descriptor. Two options control how the descriptor is managed:
discardDescriptor
- if true
causes tmp
to close the descriptor after the file
is created. In this case the fd
parameter is undefined.detachDescriptor
- if true
causes tmp
to return the descriptor in the fd
parameter, but it is the application's responsibility to close it when it is no
longer needed.const tmp = require('tmp');
tmp.file({ discardDescriptor: true }, function _tempFileCreated(err, path, fd, cleanupCallback) {
if (err) throw err;
// fd will be undefined, allowing application to use fs.createReadStream(path)
// without holding an unused descriptor open.
});
const tmp = require('tmp');
tmp.file({ detachDescriptor: true }, function _tempFileCreated(err, path, fd, cleanupCallback) {
if (err) throw err;
cleanupCallback();
// Application can store data through fd here; the space used will automatically
// be reclaimed by the operating system when the descriptor is closed or program
// terminates.
});
Creates a directory with mode 0755
, prefix will be myTmpDir_
.
const tmp = require('tmp');
tmp.dir({ mode: 0o750, prefix: 'myTmpDir_' }, function _tempDirCreated(err, path) {
if (err) throw err;
console.log('Dir: ', path);
});
Again, a synchronous version of the above.
const tmp = require('tmp');
const tmpobj = tmp.dirSync({ mode: 0750, prefix: 'myTmpDir_' });
console.log('Dir: ', tmpobj.name);
Creates a new temporary directory with mode 0700
and filename like /tmp/tmp-nk2J1u
.
IMPORTANT NOTE: template no longer accepts a path. Use the dir option instead if you
require tmp to create your temporary filesystem object in a different place than the
default tmp.tmpdir
.
const tmp = require('tmp');
tmp.dir({ template: 'tmp-XXXXXX' }, function _tempDirCreated(err, path) {
if (err) throw err;
console.log('Dir: ', path);
});
This will behave similarly to the asynchronous version.
const tmp = require('tmp');
const tmpobj = tmp.dirSync({ template: 'tmp-XXXXXX' });
console.log('Dir: ', tmpobj.name);
Using tmpName()
you can create temporary file names asynchronously.
The function accepts all standard options, e.g. prefix
, postfix
, dir
, and so on.
You can also leave out the options altogether and just call the function with a callback as first parameter.
const tmp = require('tmp');
const options = {};
tmp.tmpName(options, function _tempNameGenerated(err, path) {
if (err) throw err;
console.log('Created temporary filename: ', path);
});
The tmpNameSync()
function works similarly to tmpName()
.
Again, you can leave out the options altogether and just invoke the function without any parameters.
const tmp = require('tmp');
const options = {};
const tmpname = tmp.tmpNameSync(options);
console.log('Created temporary filename: ', tmpname);
All options are optional :)
name
: a fixed name that overrides random name generation, the name must be relative and must not contain path segmentsmode
: the file mode to create with, falls back to 0o600
on file creation and 0o700
on directory creationprefix
: the optional prefix, defaults to tmp
postfix
: the optional postfixtemplate
: mkstemp
like filename template, no default, must include XXXXXX
once for random name generation, e.g.
'foo-bar-XXXXXX'.dir
: the optional temporary directory that must be relative to the system's default temporary directory.
absolute paths are fine as long as they point to a location under the system's default temporary directory.
Any directories along the so specified path must exist, otherwise a ENOENT error will be thrown upon access,
as tmp will not check the availability of the path, nor will it establish the requested path for you.tmpdir
: allows you to override the system's root tmp directorytries
: how many times should the function try to get a unique filename before giving up, default 3
keep
: signals that the temporary file or directory should not be deleted on exit, default is false
cleanupCallback
function manually.unsafeCleanup
: recursively removes the created temporary directory, even when it's not empty. default is false
detachDescriptor
: detaches the file descriptor, caller is responsible for closing the file, tmp will no longer try closing the file during garbage collectiondiscardDescriptor
: discards the file descriptor (closes file, fd is -1), tmp will no longer try closing the file during garbage collectionFAQs
Temporary file and directory creator
The npm package tmp receives a total of 28,446,519 weekly downloads. As such, tmp popularity was classified as popular.
We found that tmp demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.