Research
Security News
Threat Actor Exposes Playbook for Exploiting npm to Build Blockchain-Powered Botnets
A threat actor's playbook for exploiting the npm ecosystem was exposed on the dark web, detailing how to build a blockchain-powered botnet.
The zx package is a tool for writing better scripts in a Node.js environment. It provides a more convenient and modern way to write shell scripts using JavaScript, leveraging the power of Node.js and its ecosystem.
Running Shell Commands
This feature allows you to run shell commands directly from your JavaScript code using template literals. The `$` function is used to execute the command and handle the output.
const { $ } = require('zx');
(async () => {
await $`echo Hello, world!`;
})();
Handling Promises
zx makes it easy to handle promises and errors when running shell commands. You can use async/await syntax to manage asynchronous operations and catch errors using try/catch blocks.
const { $ } = require('zx');
(async () => {
try {
await $`exit 1`;
} catch (error) {
console.error('Command failed:', error);
}
})();
Using Environment Variables
You can set and use environment variables within your scripts. This is useful for configuring your script's behavior based on different environments or settings.
const { $ } = require('zx');
(async () => {
process.env.MY_VAR = 'Hello, world!';
await $`echo $MY_VAR`;
})();
File System Operations
zx provides convenient access to Node.js's fs module, allowing you to perform file system operations like reading and writing files with ease.
const { fs } = require('zx');
(async () => {
await fs.writeFile('example.txt', 'Hello, world!');
const content = await fs.readFile('example.txt', 'utf8');
console.log(content);
})();
ShellJS is a portable (Windows/Linux/macOS) implementation of Unix shell commands on top of the Node.js API. It provides a similar functionality to zx but uses a more traditional approach with a focus on compatibility with Unix shell commands.
Execa is a modern process execution library for Node.js. It provides a more powerful and flexible way to run shell commands compared to zx, with features like better error handling, streaming, and more detailed output.
The child_process module is a built-in Node.js module that provides the ability to spawn child processes. While it is more low-level and less convenient than zx, it offers more control and flexibility for advanced use cases.
#!/usr/bin/env zx
await $`cat package.json | grep name`
let branch = await $`git branch --show-current`
await $`dep deploy --branch=${branch}`
await Promise.all([
$`sleep 1; echo 1`,
$`sleep 2; echo 2`,
$`sleep 3; echo 3`,
])
let name = 'foo bar'
await $`mkdir /tmp/${name}`
Bash is great, but when it comes to writing scripts,
people usually choose a more convenient programming language.
JavaScript is a perfect choice, but standard Node.js library
requires additional hassle before using. The zx
package provides
useful wrappers around child_process
, escapes arguments and
gives sensible defaults.
npm i -g zx
Requirement: Node version >= 16.0.0
Write your scripts in a file with .mjs
extension in order to
be able to use await
on top level. If you prefer the .js
extension,
wrap your scripts in something like void async function () {...}()
.
Add the following shebang to the beginning of your zx
scripts:
#!/usr/bin/env zx
Now you will be able to run your script like so:
chmod +x ./script.mjs
./script.mjs
Or via the zx
executable:
zx ./script.mjs
All functions ($
, cd
, fetch
, etc) are available straight away
without any imports.
Or import globals explicitly (for better autocomplete in VS Code).
import 'zx/globals'
$`command`
Executes a given string using the spawn
function from the
child_process
package and returns ProcessPromise<ProcessOutput>
.
Everything passed through ${...}
will be automatically escaped and quoted.
let name = 'foo & bar'
await $`mkdir ${name}`
There is no need to add extra quotes. Read more about it in quotes.
You can pass an array of arguments if needed:
let flags = [
'--oneline',
'--decorate',
'--color',
]
await $`git log ${flags}`
If the executed program returns a non-zero exit code,
ProcessOutput
will be thrown.
try {
await $`exit 1`
} catch (p) {
console.log(`Exit code: ${p.exitCode}`)
console.log(`Error: ${p.stderr}`)
}
ProcessPromise
class ProcessPromise<T> extends Promise<T> {
readonly stdin: Writable
readonly stdout: Readable
readonly stderr: Readable
readonly exitCode: Promise<number>
pipe(dest): ProcessPromise<T>
kill(signal = 'SIGTERM'): Promise<void>
}
The pipe()
method can be used to redirect stdout:
await $`cat file.txt`.pipe(process.stdout)
Read more about pipelines.
ProcessOutput
class ProcessOutput {
readonly stdout: string
readonly stderr: string
readonly exitCode: number
toString(): string
}
cd()
Changes the current working directory.
cd('/tmp')
await $`pwd` // outputs /tmp
fetch()
A wrapper around the node-fetch package.
let resp = await fetch('http://wttr.in')
if (resp.ok) {
console.log(await resp.text())
}
question()
A wrapper around the readline package.
Usage:
let bear = await question('What kind of bear is best? ')
let token = await question('Choose env variable: ', {
choices: Object.keys(process.env)
})
In second argument, array of choices for Tab autocompletion can be specified.
function question(query?: string, options?: QuestionOptions): Promise<string>
type QuestionOptions = { choices: string[] }
sleep()
A wrapper around the setTimeout
function.
await sleep(1000)
nothrow()
Changes behavior of $
to not throw an exception on non-zero exit codes.
function nothrow<P>(p: P): P
Usage:
await nothrow($`grep something from-file`)
// Inside a pipe():
await $`find ./examples -type f -print0`
.pipe(nothrow($`xargs -0 grep something`))
.pipe($`wc -l`)
If only the exitCode
is needed, you can use the next code instead:
if (await $`[[ -d path ]]`.exitCode == 0) {
...
}
// Equivalent of:
if ((await nothrow($`[[ -d path ]]`)).exitCode == 0) {
...
}
Following packages are available without importing inside scripts.
chalk
packageThe chalk package.
console.log(chalk.blue('Hello world!'))
yaml
packageThe yaml package.
console.log(YAML.parse('foo: bar').foo)
fs
packageThe fs-extra package.
let content = await fs.readFile('./package.json')
globby
packageThe globby package.
let packages = await globby(['package.json', 'packages/*/package.json'])
let pictures = globby.globbySync('content/*.(jpg|png)')
Also, globby available via the glob
shortcut:
await $`svgo ${await glob('*.svg')}`
os
packageThe os package.
await $`cd ${os.homedir()} && mkdir example`
path
packageThe path package.
await $`mkdir ${path.join(basedir, 'output')}`
minimist
packageThe minimist package.
Available as global const argv
.
$.shell
Specifies what shell is used. Default is which bash
.
$.shell = '/usr/bin/bash'
Or use a CLI argument: --shell=/bin/bash
$.prefix
Specifies the command that will be prefixed to all commands run.
Default is set -euo pipefail;
.
Or use a CLI argument: --prefix='set -e;'
$.quote
Specifies a function for escaping special characters during command substitution.
$.verbose
Specifies verbosity. Default is true
.
In verbose mode, the zx
prints all executed commands alongside with their
outputs.
Or use a CLI argument --quiet
to set $.verbose = false
.
__filename
& __dirname
In ESM modules, Node.js does not provide
__filename
and __dirname
globals. As such globals are really handy in scripts,
zx
provides these for use in .mjs
files (when using the zx
executable).
require()
In ESM
modules, the require()
function is not defined.
The zx
provides require()
function, so it can be used with imports in .mjs
files (when using zx
executable).
let {version} = require('./package.json')
process.env.FOO = 'bar'
await $`echo $FOO`
If array of values passed as argument to $
, items of the array will be escaped
individually and concatenated via space.
Example:
let files = [...]
await $`tar cz ${files}`
It is possible to make use of $
and other functions via explicit imports:
#!/usr/bin/env node
import {$} from 'zx'
await $`date`
If script does not have a file extension (like .git/hooks/pre-commit
), zx
assumes that it is an ESM
module.
The zx
can execute scripts written in markdown
(docs/markdown.md):
zx docs/markdown.md
import {$} from 'zx'
// Or
import 'zx/globals'
void async function () {
await $`ls -la`
}()
Use ts-node as a esm node loader.
node --loader ts-node/esm script.ts
You must set "type": "module"
in package.json
and "module": "ESNext"
in tsconfig.json
.
{
"type": "module"
}
{
"compilerOptions": {
"module": "ESNext"
}
}
If the argument to the zx
executable starts with https://
, the file will be
downloaded and executed.
zx https://medv.io/example-script.mjs
zx https://medv.io/game-of-life.mjs
The zx
supports executing scripts from stdin.
zx <<'EOF'
await $`pwd`
EOF
Disclaimer: This is not an officially supported Google product.
FAQs
A tool for writing better scripts
The npm package zx receives a total of 646,522 weekly downloads. As such, zx popularity was classified as popular.
We found that zx demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 2 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
A threat actor's playbook for exploiting the npm ecosystem was exposed on the dark web, detailing how to build a blockchain-powered botnet.
Security News
NVD’s backlog surpasses 20,000 CVEs as analysis slows and NIST announces new system updates to address ongoing delays.
Security News
Research
A malicious npm package disguised as a WhatsApp client is exploiting authentication flows with a remote kill switch to exfiltrate data and destroy files.