Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
tree-crawl
Advanced tools
Agnostic tree traversal library.
You can install tree-crawl
with yarn
:
$ yarn add tree-crawl
Alternatively using npm
:
$ npm install --save tree-crawl
import crawl from 'tree-crawl'
// traverse the tree in pre-order
crawl(tree, console.log)
crawl(tree, console.log, { order: 'pre' })
// traverse the tree in post-order
crawl(tree, console.log, { order: 'post' })
// traverse the tree using `childNodes` as the children key
crawl(tree, console.log, { getChildren: node => node.childNodes })
// skip a node and its children
crawl(tree, (node, context) => {
if ('foo' === node.type) {
context.skip()
}
})
// stop the walk
crawl(tree, (node, context) => {
if ('foo' === node.type) {
context.break()
}
})
// remove a node
crawl(tree, (node, context) => {
if ('foo' === node.type) {
context.parent.children.splice(context.index, 1)
context.remove()
}
})
// replace a node
crawl(tree, (node, context) => {
if ('foo' === node.type) {
const node = {
type: 'new node',
children: [
{ type: 'new leaf' }
]
}
context.parent.children[context.index] = node
context.replace(node)
}
})
tl;dr It's easy for DFS, less easy for BFS
If you are using DFS you can use the following utility function:
const getPath = context =>
context.cursor.stack.xs.reduce((path, item) => {
if (item.node) {
path.push(item.node)
}
return path
}, [])
If you are really concerned about performance, you could read items from the stack directly. Each item has a node
and index
property that you can use. The first item in the stack can be discarded and will have a node
set to null
. Be aware that you should not mutate the stack, or it will break the traversal.
If you are using BFS, things gets more complex. A simple hacky way to do so is to traverse the tree using DFS first. You can ad a path
property to your nodes using the method above. And then do your regular BFS traversal using that path
property.
Called on each node of the tree.
Type: Function
Parameters
Walk options.
Type: Object
Parameters
node
Properties
getChildren
Function? Return a node's children.order
("pre"
| "post"
| "bfs"
)? Order of the walk either in DFS pre or post order, or
BFS.Examples
Traverse a DOM tree.
crawl(document.body, doSomeStuff, { getChildren: node => node.childNodes })
BFS traversal
crawl(root, doSomeStuff, { order: 'bfs' })
Walk a tree recursively.
By default getChildren
will return the children
property of a node.
Parameters
root
Object Root node of the tree to be walked.iteratee
Iteratee Function invoked on each node.options
Options? Options customizing the walk.A traversal context.
Four operations are available. Note that depending on the traversal order, some operations have no effects.
Parameters
flags
Flagscursor
CursorSkip current node, children won't be visited.
Examples
crawl(root, (node, context) => {
if ('foo' === node.type) {
context.skip()
}
})
Stop traversal now.
Examples
crawl(root, (node, context) => {
if ('foo' === node.type) {
context.break()
}
})
Notifies that the current node has been removed, children won't be visited.
Because tree-crawl
has no idea about the intrinsic structure of your tree, you have to
remove the node yourself. Context#remove
only notifies the traversal code that the structure
of the tree has changed.
Examples
crawl(root, (node, context) => {
if ('foo' === node.type) {
context.parent.children.splice(context.index, 1)
context.remove()
}
})
Notifies that the current node has been replaced, the new node's children will be visited instead.
Because tree-crawl
has no idea about the intrinsic structure of your tree, you have to
replace the node yourself. Context#replace
notifies the traversal code that the structure of
the tree has changed.
Parameters
node
Object Replacement node.Examples
crawl(root, (node, context) => {
if ('foo' === node.type) {
const node = {
type: 'new node',
children: [
{ type: 'new leaf' }
]
}
context.parent.children[context.index] = node
context.replace(node)
}
})
Get the parent of the current node.
Returns Object Parent node.
Get the depth of the current node. The depth is the number of ancestors the current node has.
Returns Number Depth.
Get the level of current node. The level is the number of ancestors+1 the current node has.
Returns Number Level.
Get the index of the current node.
Returns Number Node's index.
tree-crawl
is built to be super fast and traverse potentially huge trees. It's possible because it implements its own stack and queue for traversal algorithms and makes sure the code is optimizable by the VM.
If you do need real good performance please consider reading this checklist first.
Your main objective is to keep the traversal code optimized and avoid de-optimizations and bailouts. To do so, your nodes should have the same hidden class and your code stay monomorphic.
MIT © Nicolas Gryman
FAQs
Agnostic tree traversal library.
The npm package tree-crawl receives a total of 8,001 weekly downloads. As such, tree-crawl popularity was classified as popular.
We found that tree-crawl demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.