Research
Security News
Malicious npm Packages Inject SSH Backdoors via Typosquatted Libraries
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
tslint-immutable
Advanced tools
TSLint rules to disable mutation in TypeScript.
In some applications it is important to not mutate any data, for example when using Redux to store state in a React application. Moreover immutable data structures has a lot of advantages in general so I want to use them everywhere in my applications.
I originally used immutablejs for this purpose. It is a really nice library but I found it had some drawbacks. Specifically when debugging it was hard to see the structure, creating JSON was not straightforward, and passing parameters to other libraries required converting to regular mutable arrays and objects. The seamless-immutable project seems to have the same conclusions and they use regular objects and arrays and check for immutability at run-time. This solves all the aformentioned drawbacks but introduces a new drawback of only being enforced at run-time. (Altough you loose the structural sharing feature of immutablejs with this solution so you would have to consider if that is something you need).
Then typescript 2.0 came along and introduced readonly options for properties, indexers and arrays. This enables us to use regular object and arrays and have the immutability enfored at compile time instead of run-time. Now the only drawback is that there is nothing enforcing the use of readonly in typescript.
This can be solved by using linting rules. So the aim of this project is to leverage the type system in typescript to enforce immutability at compile-time while still using regular objects and arrays.
npm install tslint-immutable --save-dev
See the example tslint.json file for configuration.
In addition to immutable rules this project also contains a few rules for enforcing a functional style of programming. The following rules are available:
This rule enforces use of the readonly
modifier. The readonly
modifier can appear on property signatures in interfaces, property declarations in classes, and index signatures.
Below is some information about the readonly
modifier and the benefits of using it:
You might think that using const
would eliminate mutation from your TypeScript code. Wrong. Turns out that there's a pretty big loophole in const
.
interface Point {
x: number;
y: number;
}
const point: Point = { x: 23, y: 44 };
point.x = 99; // This is legal
This is why the readonly
modifier exists. It prevents you from assigning a value to the result of a member expression.
interface Point {
readonly x: number;
readonly y: number;
}
const point: Point = { x: 23, y: 44 };
point.x = 99; // <- No object mutation allowed.
This is just as effective as using Object.freeze() to prevent mutations in your Redux reducers. However the readonly
modifier has no run-time cost, and is enforced at compile time. A good alternative to object mutation is to use the ES2016 object spread syntax that was added in typescript 2.1:
interface Point {
readonly x: number;
readonly y: number;
}
const point: Point = { x: 23, y: 44 };
const transformedPoint = { ...point, x: 99 };
Note that you can also use object spread when destructuring to delete keys in an object:
let { [action.id]: deletedItem, ...rest } = state;
The readonly
modifier also works on indexers:
const foo: { readonly [key: string]: number } = { a: 1, b: 2 };
foo["a"] = 3; // Error: Index signature only permits reading
Yes
"readonly-keyword": true
"readonly-keyword": [true, "ignore-local"]
"readonly-keyword": [true, "ignore-local", {"ignore-prefix": "mutable"}]
This rule enforces use of ReadonlyArray<T>
instead of Array<T>
or T[]
.
Below is some information about the ReadonlyArray<T>
type and the benefits of using it:
Even if an array is declared with const
it is still possible to mutate the contents of the array.
interface Point {
readonly x: number;
readonly y: number;
}
const points: Array<Point> = [{ x: 23, y: 44 }];
points.push({ x: 1, y: 2 }); // This is legal
Using the ReadonlyArray<T>
type will stop this mutation:
interface Point {
readonly x: number;
readonly y: number;
}
const points: ReadonlyArray<Point> = [{ x: 23, y: 44 }];
points.push({ x: 1, y: 2 }); // Unresolved method push()
Yes
"readonly-array": true
"readonly-array": [true, "ignore-local"]
"readonly-array": [true, "ignore-local", {"ignore-prefix": "mutable"}]
This rule should be combined with tslint's built-in no-var-keyword
rule to enforce that all variables are declared as const
.
There's no reason to use let
in a Redux/React application, because all your state is managed by either Redux or React. Use const
instead, and avoid state bugs altogether.
let x = 5; // <- Unexpected let or var, use const.
What about for
loops? Loops can be replaced with the Array methods like map
, filter
, and so on. If you find the built-in JS Array methods lacking, use ramda, or lodash-fp.
const SearchResults = ({ results }) => (
<ul>
{results.map(result => <li>result</li>) // <- Who needs let?
}
</ul>
);
Yes
"no-let": true
"no-let": [true, "ignore-local"]
"no-let": [true, "ignore-local", {"ignore-prefix": "mutable"}]
This rule prohibits mutating an array via assignment to or deletion of their elements/properties. This rule enforces array immutability without the use of ReadonlyArray<T>
(as apposed to readonly-array).
const x = [0, 1, 2];
x[0] = 4; // <- Mutating an array is not allowed.
x.length = 1; // <- Mutating an array is not allowed.
x.push(3); // <- Mutating an array is not allowed.
No
"no-array-mutation": true
"no-array-mutation": [true, {"ignore-prefix": "mutable"}]
"no-array-mutation": [true, "ignore-mutation-following-accessor"]
This rule prohibits syntax that mutates existing objects via assignment to or deletion of their properties. While requiring the readonly
modifier forces declared types to be immutable, it won't stop assignment into or modification of untyped objects or external types declared under different rules. Forbidding forms like a.b = 'c'
is one way to plug this hole. Inspired by the no-mutation rule of eslint-plugin-immutable.
const x = { a: 1 };
x.foo = "bar"; // <- Modifying properties of existing object not allowed.
x.a += 1; // <- Modifying properties of existing object not allowed.
delete x.a; // <- Modifying properties of existing object not allowed.
No
"no-object-mutation": true
"no-object-mutation": [true, {"ignore-prefix": "mutable"}]
There are two ways function members can be declared in an interface or type alias:
interface Zoo {
foo(): string; // MethodSignature, cannot have readonly modifier
readonly bar: () => string; // PropertySignature
}
The MethodSignature
and the PropertySignature
forms seem equivalent, but only the PropertySignature
form can have a readonly
modifier. Becuase of this any MethodSignature
will be mutable. Therefore the no-method-signature
rule disallows usage of this form and instead proposes to use the PropertySignature
which can have a readonly
modifier. It should be noted however that the PropertySignature
form for declaring functions does not support overloading.
The delete operator allows for mutating objects by deleting keys. This rule disallows any delete expressions.
delete object.property; // Unexpected delete, objects should be considered immutable.
As an alternative the spread operator can be used to delete a key in an object (as noted here):
const { [action.id]: deletedItem, ...rest } = state;
Thanks to libraries like recompose and Redux's React Container components, there's not much reason to build Components using React.createClass
or ES6 classes anymore. The no-this
rule makes this explicit.
const Message = React.createClass({
render: function() {
return <div>{this.props.message}</div>; // <- no this allowed
}
});
Instead of creating classes, you should use React 0.14's Stateless Functional Components and save yourself some keystrokes:
const Message = ({ message }) => <div>{message}</div>;
What about lifecycle methods like shouldComponentUpdate
? We can use the recompose library to apply these optimizations to your Stateless Functional Components. The recompose library relies on the fact that your Redux state is immutable to efficiently implement shouldComponentUpdate for you.
import { pure, onlyUpdateForKeys } from "recompose";
const Message = ({ message }) => <div>{message}</div>;
// Optimized version of same component, using shallow comparison of props
// Same effect as React's PureRenderMixin
const OptimizedMessage = pure(Message);
// Even more optimized: only updates if specific prop keys have changed
const HyperOptimizedMessage = onlyUpdateForKeys(["message"], Message);
Mixing functions and data properties in the same interface is a sign of object-orientation style. This rule enforces that an inteface only has one type of members, eg. only data properties or only functions.
When you call a function and don’t use it’s return value, chances are high that it is being called for its side effect. e.g.
array.push(1);
alert("Hello world!");
This rule checks that the value of an expression is assigned to a variable and thus helps promote side-effect free (pure) functions.
"no-expression-statement": true
"no-expression-statement": [true, {"ignore-prefix": "console."}]
"no-expression-statement": [true, {"ignore-prefix": ["console.log", "console.error"]}]
If statements is not a good fit for functional style programming as they are not expresssions and do not return a value. This rule disallows if statements.
let x;
if (i === 1) {
x = 2;
} else {
x = 3;
}
Instead consider using the tenary operator which is an expression that returns a value:
const x = i === 1 ? 2 : 3;
For more background see this blog post and discussion in #54.
In functional programming we want everthing to be an expression that returns a value. Loops in typescript are statements so they are not a good fit for a functional programming style. This rule disallows for loop statements, including for
, for...of
, for...in
, while
, and do...while
.
const numbers = [1, 2, 3];
const double = [];
for (let i = 0; i < numbers.length; i++) {
double[i] = numbers[i] * 2;
}
Instead consider using map
or reduce
:
const numbers = [1, 2, 3];
const double = numbers.map(n => n * 2);
For more background see this blog post and discussion in #54.
Exceptions are not part of functional programming.
throw new Error("Something went wrong."); // Unexpected throw, throwing exceptions is not functional.
As an alternative a function should return an error:
function divide(x: number, y: number): number | Error {
return y === 0 ? new Error("Cannot divide by zero.") : x / y;
}
Or in the case of an async function, a rejected promise should be returned:
async function divide(x: Promise<number>, y: Promise<number>): Promise<number> {
const [xv, yv] = await Promise.all([x, y]);
return yv === 0
? Promise.reject(new Error("Cannot divide by zero."))
: xv / yv;
}
Try statements are not part of functional programming. See no-throw for more information.
ignore-local
optionIf a tree falls in the woods, does it make a sound? If a pure function mutates some local data in order to produce an immutable return value, is that ok?
The quote above is from the clojure docs. In general, it is more important to enforce immutability for state that is passed in and out of functions than for local state used for internal calculations within a function. For example in Redux, the state going in and out of reducers needs to be immutable while the reducer may be allowed to mutate local state in its calculations in order to achieve higher performance. This is what the ignore-local
option enables. With this option enabled immutability will be enforced everywhere but in local state. Function parameters and return types are not considered local state so they will still be checked.
Note that using this option can lead to more imperative code in functions so use with care!
ignore-class
optionDoesn't check for readonly
in classes.
ignore-interface
optionDoesn't check for readonly
in interfaces.
ignore-rest-parameters
optionDoesn't check for ReadonlyArray
for function rest parameters.
ignore-return-type
optionDoesn't check the return type of functions.
ignore-prefix
optionSome languages are immutable by default but allows you to explicitly declare mutable variables. For example in reason you can declare mutable record fields like this:
type person = {
name: string,
mutable age: int
};
Typescript is not immutable by default but it can be if you use this package. So in order to create an escape hatch similar to how it is done in reason the ignore-prefix
option can be used. For example if you configure it to ignore variables with names that has the prefix "mutable" you can emulate the above example in typescript like this:
type person = {
readonly name: string;
mutableAge: number; // This is OK with ignore-prefix = "mutable"
};
Yes, variable names like mutableAge
are ugly, but then again mutation is an ugly business :-).
ignore-prefix
option with no-expression-statement
Expression statements typically cause side effects, however not all side effects are undesirable. One example of a helpful side effect is logging. To not get warning of every log statement, we can configure the linter to ignore well known expression statement prefixes.
One such prefix could be console.
, which would cover both these cases:
const doSomething(arg:string) => {
if (arg) {
console.log("Argument is", arg);
} else {
console.warn("Argument is empty!");
}
return `Hello ${arg}`;
}
ignore-mutation-following-accessor
option with no-array-mutation
This option allows for the use of array mutator methods to be chained to an array accessor method (methods that modify the original array are known as mutator methods (eg. sort
) and methods that return a copy are known as accessor methods (eg. slice
and concat
)).
For example, an array can be immutably sorted with a single line like so:
const sorted = ["foo", "bar"].slice().sort((a, b) => a.localeCompare(b)); // This is OK with ignore-mutation-following-accessor
Without this rule, it is still possible to create var
variables that are mutable.
Without this rule, function parameters are mutable.
For performance reasons, tslint-immutable does not check implicit return types. So for example this function will return an mutable array but will not be detected (see #18 for more info):
function foo() {
return [1, 2, 3];
}
To avoid this situation you can enable the built in typedef rule like this:
"typedef": [true, "call-signature"]
Now the above function is forced to declare the return type becomes this and will be detected.
Here's a sample TSLint configuration file (tslint.json) that activates all the rules:
{
"extends": ["tslint-immutable"],
"rules": {
// Recommended built-in rules
"no-var-keyword": true,
"no-parameter-reassignment": true,
"typedef": [true, "call-signature"],
// Immutability rules
"readonly-keyword": true,
"readonly-array": true,
"no-let": true,
"no-object-mutation": true,
"no-delete": true,
"no-method-signature": true,
// Functional style rules
"no-this": true,
"no-class": true,
"no-mixed-interface": true,
"no-expression-statement": true,
"no-if-statement": true
}
}
It is also possible to enable all the rules in tslint-immutable by extending tslint-immutable/all
like this:
{
"extends": ["tslint-immutable/all"]
}
For new features file an issue. For bugs, file an issue and optionally file a PR with a failing test. Tests are really easy to do, you just have to edit the *.ts.lint
files under the test directory. Read more here about tslint testing.
To execute the tests first run yarn build
and then run yarn test
.
While working on the code you can run yarn test:work
. This script also builds before running the tests. To run a subset of the tests, change the path for yarn test:work
in package.json
.
Please review the tslint performance tips in order to write rules that run efficiently at run-time. For example, note that using SyntaxWalker
or any subclass thereof like RuleWalker
is inefficient. Note that tslint requires the use of class
as an entrypoint, but you can make a very small class that inherits from AbstractRule
which directly calls this.applyWithFunction
and from there you can switch to using a more functional programming style.
In order to know which AST nodes are created for a snippet of typescript code you can use ast explorer.
To release a new package version run yarn publish:patch
, yarn publish:minor
, or yarn publish:major
.
This work was originally inspired by eslint-plugin-immutable.
[v4.9.1] - 2018-11-04
ignore-return-type
option for the readonly-array
doesn't catch method declarations. See #95.FAQs
TSLint rules to disable mutation in TypeScript.
The npm package tslint-immutable receives a total of 14,927 weekly downloads. As such, tslint-immutable popularity was classified as popular.
We found that tslint-immutable demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 2 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
Security News
MITRE's 2024 CWE Top 25 highlights critical software vulnerabilities like XSS, SQL Injection, and CSRF, reflecting shifts due to a refined ranking methodology.
Security News
In this segment of the Risky Business podcast, Feross Aboukhadijeh and Patrick Gray discuss the challenges of tracking malware discovered in open source softare.