Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Add context awareness to your apps and frameworks by safely evaluating user-defined conditional expressions. Useful for evaluating expressions in config files, prompts, key bindings, completions, templates, and many other user cases.
Add context awareness to your apps and frameworks by safely evaluating user-defined conditional expressions. Useful for evaluating expressions in config files, prompts, key bindings, completions, templates, and many other user cases.
Please consider following this project's author, Jon Schlinkert, and consider starring the project to show your :heart: and support.
Install with npm (requires Node.js >=14):
$ npm install --save whence
This libarary doest returneth true if thine 'when' clause doest matcheth the granted context object.
Whence uses eval-estree-expression to safely evaluate user-defined conditional expressions, sometimes referred to as "when" clauses.
Add context awareness to your apps and frameworks.
Conditional expressions are useful in config files, creating prompts, determining key bindings, filtering suggestions and completions, variables in templates and snippets, and many other user cases.
It's even more useful when those conditional expressions can be evaluated safely.
Example: configuration files
For example, when authoring configuration files for workflows, pipelines, builds, and so on, it's common for developers to define expressions with conditionals to determine if or when a job, task, or step should run based on environment variables, etc. These configurations are typically defined using YAML, JSON or a similar data format, which means that conditional expressions must be written as strings, booleans, or numbers. Whence makes it safe and easy to evaluate these expressions.
Other use cases
when
clauses or something similar to determine the keybindings to use when a key is pressed.No assignment operators, functions, or function calls are allowed by default to make it as safe as possible to evaluate user-defined expressions. To accomplish this, whence
uses the eval-estree-expression library, which takes an estree expression from [@babel/parser][], esprima, acorn, or any similar library that parses and returns a valid estree
expression.
What we found
Every other eval library I found had one of the following shortcomings:
eval
or Node's vm
or something similar to evaluate code. This is to risky, or too heavy for our use cases.What whence does differently
__proto__
, constructor
, prototype
, or undefined
as property names on nested properties.const whence = require('whence');
// async usage
console.log(await whence('name =~ /^d.*b$/', { name: 'doowb' })); //=> true
console.log(await whence('amount > 100', { amount: 101 })); //=> true
console.log(await whence('a < b && c > d', { a: 0, b: 1, c: 3, d: 2 })); //=> true
console.log(await whence('platform === "darwin"', { platform: process.platform })); //=> true if macOS
console.log(await whence('platform === "darwin"', { platform: 'win32' })); //=> false
// sync usage
console.log(whence.sync('name =~ /^d.*b$/', { name: 'doowb' })); //=> true
console.log(whence.sync('amount > 100', { amount: 101 })); //=> true
console.log(whence.sync('a < b && c > d', { a: 0, b: 1, c: 3, d: 2 })); //=> true
console.log(whence.sync('platform === "darwin"', { platform: process.platform })); //=> true if macOS
console.log(whence.sync('platform === "darwin"', { platform: 'win32' })); //=> false
See eval-estree-expression and that project's unit tests for many more examples of the types of expressions that are supported.
Whence's default behavior (and purpose) is to return a boolean. Most implementors will be interested in this library for that reason. However, if you need the evaluated result and do not want values to be cast to booleans, you should probably use eval-estree-expression directly. For example:
// whence behavior
console.log(whence.sync('1 + 9')); //=> true
// eval-estree-expression behavior
console.log(whence.sync('1 + 9')); //=> 10
Returns true if the given value is truthy, or the value
("left") is
equal to or contained within the context
("right") value. This method is
used by the whence()
function (the main export), but you can use this
method directly if you don't want the values to be evaluated.
Params
value
{any}: The value to test.context
{Object}: The value to compare against.parent
{type}returns
{Boolean}: Returns true or false.Parses the given expression string with [@babel/parser][] and returns and AST. You may also an [estree][]-compatible expression AST.
Params
source
{String}: Expression string or an [estree][]-compatible expression AST.options
{Object}returns
{Object}Example
const { parse } = require('whence');
console.log(parse('platform === "darwin"'));
// Resuls in something like this:
// Node {
// type: 'BinaryExpression',
// value: Node { type: 'Identifier', name: 'platform' },
// operator: '===',
// context: Node {
// type: 'StringLiteral',
// extra: { rawValue: 'darwin', raw: '"darwin"' },
// value: 'darwin'
// }
// }
Asynchronously evaluates the given expression and returns a boolean.
Params
source
{String|Object}: Expression string or an [estree][]-compatible expression AST.context
{Object}options
{Object}returns
{Boolean}Example
const whence = require('whence');
console.log(await whence('10 < 20')); //=> true
console.log(whence.sync('10 < 20')); //=> true
Synchronous version of whence. Aliased as whence.sync()
.
Params
source
{String|Object}: Expression string or an [estree][]-compatible expression AST.context
{Object}options
{Object}returns
{Boolean}Example
const { whenceSync } = require('whence');
console.log(whenceSync('10 < 20')); //=> true
Compiles the given expression and returns an async function.
Params
source
{String|Object}: Expression string or an [estree][]-compatible expression AST.options
{Object}returns
{Function}: Returns a function that takes a context
object.Example
const { compile } = require('whence');
const fn = compile('type === "foo"');
console.log(await fn({ type: 'foo' })); //=> true
console.log(await fn({ type: 'bar' })); //=> false
Synchronous version of compile. This method is also alias as .compile.sync()
.
Params
source
{String|Object}: Expression string or an [estree][]-compatible expression AST.options
{Object}returns
{Function}: Returns a function that takes a context
object.Example
const { compile } = require('whence');
const fn = compile.sync('type === "foo"');
console.log(fn({ type: 'foo' })); //=> true
console.log(fn({ type: 'bar' })); //=> false
Supports all options from eval-estree-expression.
Although whence doesn't like functions...
console.log(whence.sync('/[a-c]+/.test(foo)', { foo: 'bbb' })); //=> throws an error
You can talk whence into evaluating them by setting the functions
option to true.
console.log(whence.sync('/[a-c]+/.test(foo)', { foo: 'bbb' }, { functions: true })); //=> true
console.log(whence.sync('/[a-c]+/.test(foo)', { foo: 'zzz' }, { functions: true })); //=> false
Pull requests and stars are always welcome. For bugs and feature requests, please create an issue.
Running and reviewing unit tests is a great way to get familiarized with a library and its API. You can install dependencies and run tests with the following command:
$ npm install && npm test
(This project's readme.md is generated by verb, please don't edit the readme directly. Any changes to the readme must be made in the .verb.md readme template.)
To generate the readme, run the following command:
$ npm install -g verbose/verb#dev verb-generate-readme && verb
Jon Schlinkert
Copyright © 2021, Jon Schlinkert. Released under the MIT License.
This file was generated by verb-generate-readme, v0.8.0, on September 22, 2021.
FAQs
Add context awareness to your apps and frameworks by safely evaluating user-defined conditional expressions. Useful for evaluating expressions in config files, prompts, key bindings, completions, templates, and many other user cases.
We found that whence demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.