Security News
NIST Misses 2024 Deadline to Clear NVD Backlog
NIST has failed to meet its self-imposed deadline of clearing the NVD's backlog by the end of the fiscal year. Meanwhile, CVE's awaiting analysis have increased by 33% since June.
trace-unhandled
Advanced tools
Much better tracing of unhandled promise rejections in JavaScript
Node.js and browsers warn on unhandled promise rejections. You might have seen:
(node:1234) UnhandledPromiseRejectionWarning
When this happens, it's not always obvious what promise is unhandled. The error stacktrace will tell where the error object construction is, not the construction of the promise which left it dangling. It might have travelled through various asynchronous chains before it got to an unhandled promise chain.
trace-unhandled
helps with this. It keeps track of promises and when an unhandled promise rejection is logged, the location of both the error object and the promise is logged. This makes it a lot easier to find the bug.
This package is not intended to be used in production, only to aid locating bugs
Consider the following code which creates an error (on line 1) and rejects a promise (on line 3) and "forgets" to catch it on line 9 (the last line). This is an incredibly simple example, and in real life, this would span over a lot of files and a lot of complexity.
1. const err = new Error( "foo" );
2. function b( ) {
3. return Promise.reject( err );
4. }
5. function a( ) {
6. return b( );
7. }
8. const foo = a( );
9. foo.then( ( ) => { } );
Without trace-unhandled
, you would get something like:
(node:1234) UnhandledPromiseRejectionWarning: Error: foo
at Object.<anonymous> (/my/directory/test.js:1:13)
at Module._compile (internal/modules/cjs/loader.js:776:30)
at Object.Module._extensions..js (internal/modules/cjs/loader.js:787:10)
at Module.load (internal/modules/cjs/loader.js:643:32)
at Function.Module._load (internal/modules/cjs/loader.js:556:12)
at Function.Module.runMain (internal/modules/cjs/loader.js:839:10)
at internal/main/run_main_module.js:17:11
This is the output of Node.js. You'll see the stacktrace up to the point of the Error err
, but that's rather irrelevant. What you want to know is where the promise was used leaving a rejection unhandled (i.e. a missing catch()
). With trace-unhandled
this is exactly what you get, including the Error construction location:
(node:1234) UnhandledPromiseRejectionWarning
[ Stacktrace altered by https://github.com/grantila/trace-unhandled ]
Error: foo
==== Promise at: ==================
at Promise.then (<anonymous>)
at Object.<anonymous> (/my/directory/test.js:9:5) 👈
==== Error at: ====================
at Object.<anonymous> (/my/directory/test.js:1:13)
==== Shared trace: ================
at Module._compile (internal/modules/cjs/loader.js:776:30)
... more lines below ...
We "used" the promise by appending another .then()
to it. This means that the promise was actually "handled", and that the new promise should handle rejections. If we delete the last line (line 9), we see where the promise was last "used":
(node:1234) UnhandledPromiseRejectionWarning
[ Stacktrace altered by https://github.com/grantila/trace-unhandled ]
Error: foo
==== Promise at: ==================
at b (/my/directory/test.js:3:17) 👈
at a (/my/directory/test.js:6:9) 👈
at Object.<anonymous> (/my/directory/test.js:8:13) 👈
==== Error at: ====================
at Object.<anonymous> (/my/directory/test.js:1:13)
==== Shared trace: ================
at Module._compile (internal/modules/cjs/loader.js:776:30)
... more lines below ...
Both these examples show clearly where the promise is left unhandled, and not only where the Error object is constructed.
trace-unhandled
can be used in 4 ways.
trace-unhandled
exports a program which can run JavaScript files and shebang scripts. Instead of running your program as node index.js
you can do trace-unhandled index.js
as long as trace-unhandled
is globally installed.
You can also use npx
:
npx trace-unhandled index.js
<head><script src="https://cdn.jsdelivr.net/npm/trace-unhandled@latest/browser.js"></script></head>
To specify a custom logger function, use setTraceUnhandledLogger
:
window.setTraceUnhandledLogger( msg => { ... } ); // msg is a string
require( 'trace-unhandled/register' ); // As early as possible
or if you want to allow some code to execute before you start tracing:
const { register } = require( 'trace-unhandled' );
// ... whenever you want to start tracing
register( );
To specify a custom logger function, use setLogger
:
const { setLogger } = require( 'trace-unhandled' );
setLogger( msg => { ... } ); // msg is a string
To use this package when running jest
, install the package and configure jest with the following setup:
{
setupFiles: [
"trace-unhandled/register"
]
}
For mocha
you can use --require node_modules/trace-unhandled/register.js
.
FAQs
Much better tracing of unhandled promise rejections in JavaScript
The npm package trace-unhandled receives a total of 26,478 weekly downloads. As such, trace-unhandled popularity was classified as popular.
We found that trace-unhandled demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
NIST has failed to meet its self-imposed deadline of clearing the NVD's backlog by the end of the fiscal year. Meanwhile, CVE's awaiting analysis have increased by 33% since June.
Security News
Cloudflare has launched a setup wizard allowing users to easily create and manage a security.txt file for vulnerability disclosure on their websites.
Security News
The Socket Research team breaks down a malicious npm package targeting the legitimate DOMPurify library. It uses obfuscated code to hide that it is exfiltrating browser and crypto wallet data.