Gathering detailed insights and metrics for arg
Gathering detailed insights and metrics for arg
Installations
npm install argDeveloper Guide
BETA
Typescript
Yes
Module System
CommonJS
Node Version
16.13.1
NPM Version
8.1.2
Score
99.8
Supply Chain
99.5
Quality
82
Maintenance
100
Vulnerability
100
License
Releases
7
Languages
1
JavaScript
JavaScript (100%)
Developer
Download Statistics
Total Downloads
5,376,817,836
Last Day
2,576,841
Last Week
43,856,174
Last Month
190,270,596
Last Year
1,909,042,335
GitHub Statistics
MIT License
1,283 Stars
63 Commits
54 Forks
61 Watchers
7 Branches
92 Contributors
Updated on Jul 01, 2025
Bundle Size
2.38 kB
Minified
1.24 kB
Minified + Gzipped
Maintainers
164
Package Meta Information
Latest Version
5.0.2
Package Id
arg@5.0.2
Unpacked Size
13.34 kB
Size
5.49 kB
File Count
5
NPM Version
8.1.2
Node Version
16.13.1
Total Downloads
Cumulative downloads
Total Downloads
5,376,817,836
Last Day
-13.4%
2,576,841
Compared to previous day
Last Week
-8.8%
43,856,174
Compared to previous week
Last Month
0.8%
190,270,596
Compared to previous month
Last Year
41.4%
1,909,042,335
Compared to previous year
Weekly Downloads
Monthly Downloads
Yearly Downloads
Arg
arg is an unopinionated, no-frills CLI argument parser.
Installation
1npm install arg
Usage
arg() takes either 1 or 2 arguments:
- Command line specification object (see below)
- Parse options (Optional, defaults to
{permissive: false, argv: process.argv.slice(2), stopAtPositional: false})
It returns an object with any values present on the command-line (missing options are thus missing from the resulting object). Arg performs no validation/requirement checking - we leave that up to the application.
All parameters that aren't consumed by options (commonly referred to as "extra" parameters)
are added to result._, which is always an array (even if no extra parameters are passed,
in which case an empty array is returned).
1const arg = require('arg'); 2 3// `options` is an optional parameter 4const args = arg( 5 spec, 6 (options = { permissive: false, argv: process.argv.slice(2) }) 7);
For example:
1$ node ./hello.js --verbose -vvv --port=1234 -n 'My name' foo bar --tag qux --tag=qix -- --foobar
1// hello.js 2const arg = require('arg'); 3 4const args = arg({ 5 // Types 6 '--help': Boolean, 7 '--version': Boolean, 8 '--verbose': arg.COUNT, // Counts the number of times --verbose is passed 9 '--port': Number, // --port <number> or --port=<number> 10 '--name': String, // --name <string> or --name=<string> 11 '--tag': [String], // --tag <string> or --tag=<string> 12 13 // Aliases 14 '-v': '--verbose', 15 '-n': '--name', // -n <string>; result is stored in --name 16 '--label': '--name' // --label <string> or --label=<string>; 17 // result is stored in --name 18}); 19 20console.log(args); 21/* 22{ 23 _: ["foo", "bar", "--foobar"], 24 '--port': 1234, 25 '--verbose': 4, 26 '--name': "My name", 27 '--tag': ["qux", "qix"] 28} 29*/
The values for each key=>value pair is either a type (function or [function]) or a string (indicating an alias).
-
In the case of a function, the string value of the argument's value is passed to it, and the return value is used as the ultimate value.
-
In the case of an array, the only element must be a type function. Array types indicate that the argument may be passed multiple times, and as such the resulting value in the returned object is an array with all of the values that were passed using the specified flag.
-
In the case of a string, an alias is established. If a flag is passed that matches the key, then the value is substituted in its place.
Type functions are passed three arguments:
- The parameter value (always a string)
- The parameter name (e.g.
--label) - The previous value for the destination (useful for reduce-like operations or for supporting
-vmultiple times, etc.)
This means the built-in String, Number, and Boolean type constructors "just work" as type functions.
Note that Boolean and [Boolean] have special treatment - an option argument is not consumed or passed, but instead true is
returned. These options are called "flags".
For custom handlers that wish to behave as flags, you may pass the function through arg.flag():
1const arg = require('arg'); 2 3const argv = [ 4 '--foo', 5 'bar', 6 '-ff', 7 'baz', 8 '--foo', 9 '--foo', 10 'qux', 11 '-fff', 12 'qix' 13]; 14 15function myHandler(value, argName, previousValue) { 16 /* `value` is always `true` */ 17 return 'na ' + (previousValue || 'batman!'); 18} 19 20const args = arg( 21 { 22 '--foo': arg.flag(myHandler), 23 '-f': '--foo' 24 }, 25 { 26 argv 27 } 28); 29 30console.log(args); 31/* 32{ 33 _: ['bar', 'baz', 'qux', 'qix'], 34 '--foo': 'na na na na na na na na batman!' 35} 36*/
As well, arg supplies a helper argument handler called arg.COUNT, which equivalent to a [Boolean] argument's .length
property - effectively counting the number of times the boolean flag, denoted by the key, is passed on the command line..
For example, this is how you could implement ssh's multiple levels of verbosity (-vvvv being the most verbose).
1const arg = require('arg'); 2 3const argv = ['-AAAA', '-BBBB']; 4 5const args = arg( 6 { 7 '-A': arg.COUNT, 8 '-B': [Boolean] 9 }, 10 { 11 argv 12 } 13); 14 15console.log(args); 16/* 17{ 18 _: [], 19 '-A': 4, 20 '-B': [true, true, true, true] 21} 22*/
Options
If a second parameter is specified and is an object, it specifies parsing options to modify the behavior of arg().
argv
If you have already sliced or generated a number of raw arguments to be parsed (as opposed to letting arg
slice them from process.argv) you may specify them in the argv option.
For example:
1const args = arg( 2 { 3 '--foo': String 4 }, 5 { 6 argv: ['hello', '--foo', 'world'] 7 } 8);
results in:
1const args = { 2 _: ['hello'], 3 '--foo': 'world' 4};
permissive
When permissive set to true, arg will push any unknown arguments
onto the "extra" argument array (result._) instead of throwing an error about
an unknown flag.
For example:
1const arg = require('arg'); 2 3const argv = [ 4 '--foo', 5 'hello', 6 '--qux', 7 'qix', 8 '--bar', 9 '12345', 10 'hello again' 11]; 12 13const args = arg( 14 { 15 '--foo': String, 16 '--bar': Number 17 }, 18 { 19 argv, 20 permissive: true 21 } 22);
results in:
1const args = { 2 _: ['--qux', 'qix', 'hello again'], 3 '--foo': 'hello', 4 '--bar': 12345 5};
stopAtPositional
When stopAtPositional is set to true, arg will halt parsing at the first
positional argument.
For example:
1const arg = require('arg'); 2 3const argv = ['--foo', 'hello', '--bar']; 4 5const args = arg( 6 { 7 '--foo': Boolean, 8 '--bar': Boolean 9 }, 10 { 11 argv, 12 stopAtPositional: true 13 } 14);
results in:
1const args = { 2 _: ['hello', '--bar'], 3 '--foo': true 4};
Errors
Some errors that arg throws provide a .code property in order to aid in recovering from user error, or to
differentiate between user error and developer error (bug).
ARG_UNKNOWN_OPTION
If an unknown option (not defined in the spec object) is passed, an error with code ARG_UNKNOWN_OPTION will be thrown:
1// cli.js 2try { 3 require('arg')({ '--hi': String }); 4} catch (err) { 5 if (err.code === 'ARG_UNKNOWN_OPTION') { 6 console.log(err.message); 7 } else { 8 throw err; 9 } 10}
1node cli.js --extraneous true 2Unknown or unexpected option: --extraneous
FAQ
A few questions and answers that have been asked before:
How do I require an argument with arg?
Do the assertion yourself, such as:
1const args = arg({ '--name': String }); 2 3if (!args['--name']) throw new Error('missing required argument: --name');
License
Released under the MIT License.
No vulnerabilities found.
Reason
no dangerous workflow patterns detected
Reason
no binaries found in the repo
Reason
license file detected
Details
- Info: project has a license file: LICENSE.md:0
- Info: FSF or OSI recognized license: MIT License: LICENSE.md:0
Reason
security policy file detected
Details
- Info: security policy file detected: github.com/vercel/.github/SECURITY.md:1
- Info: Found linked content: github.com/vercel/.github/SECURITY.md:1
- Info: Found disclosure, vulnerability, and/or timelines in security policy: github.com/vercel/.github/SECURITY.md:1
- Info: Found text in security policy: github.com/vercel/.github/SECURITY.md:1
Reason
Found 13/29 approved changesets -- score normalized to 4
Reason
dependency not pinned by hash detected -- score normalized to 0
Details
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:16: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/arg/ci.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:17: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/arg/ci.yml/main?enable=pin
- Warn: npmCommand not pinned by hash: .github/workflows/ci.yml:21
- Info: 0 out of 2 GitHub-owned GitHubAction dependencies pinned
- Info: 0 out of 1 npmCommand dependencies pinned
Reason
detected GitHub workflow tokens with excessive permissions
Details
- Warn: no topLevel permission defined: .github/workflows/ci.yml:1
- Info: no jobLevel write permissions found
Reason
0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0
Reason
no effort to earn an OpenSSF best practices badge detected
Reason
project is not fuzzed
Details
- Warn: no fuzzer integrations found
Reason
branch protection not enabled on development/release branches
Details
- Warn: branch protection not enabled for branch 'main'
Reason
SAST tool is not run on all commits -- score normalized to 0
Details
- Warn: 0 commits out of 15 are checked with a SAST tool
Reason
11 existing vulnerabilities detected
Details
- Warn: Project is vulnerable to: GHSA-968p-4wvh-cqc8
- Warn: Project is vulnerable to: GHSA-v6h2-p8h4-qcjw
- Warn: Project is vulnerable to: GHSA-grv7-fg5c-xmjg
- Warn: Project is vulnerable to: GHSA-3xgq-45jj-v275
- Warn: Project is vulnerable to: GHSA-4q6p-r6v2-jvc5
- Warn: Project is vulnerable to: GHSA-9c47-m6qq-7p4h
- Warn: Project is vulnerable to: GHSA-952p-6rrq-rcjv
- Warn: Project is vulnerable to: GHSA-c2qf-rxjj-qqgw
- Warn: Project is vulnerable to: GHSA-72xf-g2v4-qvf3
- Warn: Project is vulnerable to: GHSA-j8xg-fqg3-53r7
- Warn: Project is vulnerable to: GHSA-3h5v-q93c-6h6q
Score
3.5
/10
Last Scanned on 2025-06-23
The Open Source Security Foundation is a cross-industry collaboration to improve the security of open source software (OSS). The Scorecard provides security health metrics for open source projects.
Learn More