Gathering detailed insights and metrics for mustache
Gathering detailed insights and metrics for mustache
Gathering detailed insights and metrics for mustache
Gathering detailed insights and metrics for mustache
Minimal templating with {{mustaches}} in JavaScript
npm install mustache
Typescript
Module System
Node Version
NPM Version
99.8
Supply Chain
100
Quality
79.9
Maintenance
100
Vulnerability
100
License
JavaScript (88.04%)
Mustache (7.24%)
Ruby (3.18%)
HTML (1.16%)
TypeScript (0.39%)
Total Downloads
855,440,601
Last Day
631,798
Last Week
4,733,739
Last Month
21,431,086
Last Year
236,121,314
16,532 Stars
830 Commits
2,386 Forks
401 Watching
19 Branches
114 Contributors
Minified
Minified + Gzipped
Latest Version
4.2.0
Package Id
mustache@4.2.0
Size
33.77 kB
NPM Version
6.14.8
Node Version
12.19.0
Publised On
28 Mar 2021
Cumulative downloads
Total Downloads
Last day
-31.9%
631,798
Compared to previous day
Last week
-9.3%
4,733,739
Compared to previous week
Last month
-3.1%
21,431,086
Compared to previous month
Last year
33.8%
236,121,314
Compared to previous year
What could be more logical awesome than no logic at all?
mustache.js is a zero-dependency implementation of the mustache template system in JavaScript.
Mustache is a logic-less template syntax. It can be used for HTML, config files, source code - anything. It works by expanding tags in a template using values provided in a hash or object.
We call it "logic-less" because there are no if statements, else clauses, or for loops. Instead there are only tags. Some tags are replaced with a value, some nothing, and others a series of values.
For a language-agnostic overview of mustache's template syntax, see the mustache(5)
manpage.
You can use mustache.js to render mustache templates anywhere you can use JavaScript. This includes web browsers, server-side environments such as Node.js, and CouchDB views.
mustache.js ships with support for the CommonJS module API, the Asynchronous Module Definition API (AMD) and ECMAScript modules.
In addition to being a package to be used programmatically, you can use it as a command line tool.
And this will be your templates after you use Mustache:
You can get Mustache via npm.
1$ npm install mustache --save
Below is a quick example how to use mustache.js:
1var view = { 2 title: "Joe", 3 calc: function () { 4 return 2 + 4; 5 } 6}; 7 8var output = Mustache.render("{{title}} spends {{calc}}", view);
In this example, the Mustache.render
function takes two parameters: 1) the mustache template and 2) a view
object that contains the data and code needed to render the template.
A mustache template is a string that contains any number of mustache tags. Tags are indicated by the double mustaches that surround them. {{person}}
is a tag, as is {{#person}}
. In both examples we refer to person
as the tag's key. There are several types of tags available in mustache.js, described below.
There are several techniques that can be used to load templates and hand them to mustache.js, here are two of them:
If you need a template for a dynamic part in a static website, you can consider including the template in the static HTML file to avoid loading templates separately. Here's a small example:
1// file: render.js 2 3function renderHello() { 4 var template = document.getElementById('template').innerHTML; 5 var rendered = Mustache.render(template, { name: 'Luke' }); 6 document.getElementById('target').innerHTML = rendered; 7}
1<html> 2 <body onload="renderHello()"> 3 <div id="target">Loading...</div> 4 <script id="template" type="x-tmpl-mustache"> 5 Hello {{ name }}! 6 </script> 7 8 <script src="https://unpkg.com/mustache@latest"></script> 9 <script src="render.js"></script> 10 </body> 11</html>
If your templates reside in individual files, you can load them asynchronously and render them when they arrive. Another example using fetch:
1function renderHello() { 2 fetch('template.mustache') 3 .then((response) => response.text()) 4 .then((template) => { 5 var rendered = Mustache.render(template, { name: 'Luke' }); 6 document.getElementById('target').innerHTML = rendered; 7 }); 8}
The most basic tag type is a simple variable. A {{name}}
tag renders the value of the name
key in the current context. If there is no such key, nothing is rendered.
All variables are HTML-escaped by default. If you want to render unescaped HTML, use the triple mustache: {{{name}}}
. You can also use &
to unescape a variable.
If you'd like to change HTML-escaping behavior globally (for example, to template non-HTML formats), you can override Mustache's escape function. For example, to disable all escaping: Mustache.escape = function(text) {return text;};
.
If you want {{name}}
not to be interpreted as a mustache tag, but rather to appear exactly as {{name}}
in the output, you must change and then restore the default delimiter. See the Custom Delimiters section for more information.
View:
1{ 2 "name": "Chris", 3 "company": "<b>GitHub</b>" 4}
Template:
* {{name}}
* {{age}}
* {{company}}
* {{{company}}}
* {{&company}}
{{=<% %>=}}
* {{company}}
<%={{ }}=%>
Output:
1* Chris 2* 3* <b>GitHub</b> 4* <b>GitHub</b> 5* <b>GitHub</b> 6* {{company}}
JavaScript's dot notation may be used to access keys that are properties of objects in a view.
View:
1{ 2 "name": { 3 "first": "Michael", 4 "last": "Jackson" 5 }, 6 "age": "RIP" 7}
Template:
1* {{name.first}} {{name.last}} 2* {{age}}
Output:
1* Michael Jackson 2* RIP
Sections render blocks of text zero or more times, depending on the value of the key in the current context.
A section begins with a pound and ends with a slash. That is, {{#person}}
begins a person
section, while {{/person}}
ends it. The text between the two tags is referred to as that section's "block".
The behavior of the section is determined by the value of the key.
If the person
key does not exist, or exists and has a value of null
, undefined
, false
, 0
, or NaN
, or is an empty string or an empty list, the block will not be rendered.
View:
1{ 2 "person": false 3}
Template:
1Shown. 2{{#person}} 3Never shown! 4{{/person}}
Output:
1Shown.
If the person
key exists and is not null
, undefined
, or false
, and is not an empty list the block will be rendered one or more times.
When the value is a list, the block is rendered once for each item in the list. The context of the block is set to the current item in the list for each iteration. In this way we can loop over collections.
View:
1{ 2 "stooges": [ 3 { "name": "Moe" }, 4 { "name": "Larry" }, 5 { "name": "Curly" } 6 ] 7}
Template:
1{{#stooges}} 2<b>{{name}}</b> 3{{/stooges}}
Output:
1<b>Moe</b> 2<b>Larry</b> 3<b>Curly</b>
When looping over an array of strings, a .
can be used to refer to the current item in the list.
View:
1{ 2 "musketeers": ["Athos", "Aramis", "Porthos", "D'Artagnan"] 3}
Template:
1{{#musketeers}} 2* {{.}} 3{{/musketeers}}
Output:
1* Athos 2* Aramis 3* Porthos 4* D'Artagnan
If the value of a section variable is a function, it will be called in the context of the current item in the list on each iteration.
View:
1{ 2 "beatles": [ 3 { "firstName": "John", "lastName": "Lennon" }, 4 { "firstName": "Paul", "lastName": "McCartney" }, 5 { "firstName": "George", "lastName": "Harrison" }, 6 { "firstName": "Ringo", "lastName": "Starr" } 7 ], 8 "name": function () { 9 return this.firstName + " " + this.lastName; 10 } 11}
Template:
1{{#beatles}} 2* {{name}} 3{{/beatles}}
Output:
1* John Lennon 2* Paul McCartney 3* George Harrison 4* Ringo Starr
If the value of a section key is a function, it is called with the section's literal block of text, un-rendered, as its first argument. The second argument is a special rendering function that uses the current view as its view argument. It is called in the context of the current view object.
View:
1{ 2 "name": "Tater", 3 "bold": function () { 4 return function (text, render) { 5 return "<b>" + render(text) + "</b>"; 6 } 7 } 8}
Template:
1{{#bold}}Hi {{name}}.{{/bold}}
Output:
1<b>Hi Tater.</b>
An inverted section opens with {{^section}}
instead of {{#section}}
. The block of an inverted section is rendered only if the value of that section's tag is null
, undefined
, false
, falsy or an empty list.
View:
1{ 2 "repos": [] 3}
Template:
1{{#repos}}<b>{{name}}</b>{{/repos}} 2{{^repos}}No repos :({{/repos}}
Output:
1No repos :(
Comments begin with a bang and are ignored. The following template:
1<h1>Today{{! ignore me }}.</h1>
Will render as follows:
1<h1>Today.</h1>
Comments may contain newlines.
Partials begin with a greater than sign, like {{> box}}.
Partials are rendered at runtime (as opposed to compile time), so recursive partials are possible. Just avoid infinite loops.
They also inherit the calling context. Whereas in ERB you may have this:
1<%= partial :next_more, :start => start, :size => size %>
Mustache requires only this:
1{{> next_more}}
Why? Because the next_more.mustache
file will inherit the size
and start
variables from the calling context. In this way you may want to think of partials as includes, imports, template expansion, nested templates, or subtemplates, even though those aren't literally the case here.
For example, this template and partial:
base.mustache:
<h2>Names</h2>
{{#names}}
{{> user}}
{{/names}}
user.mustache:
<strong>{{name}}</strong>
Can be thought of as a single, expanded template:
1<h2>Names</h2> 2{{#names}} 3 <strong>{{name}}</strong> 4{{/names}}
In mustache.js an object of partials may be passed as the third argument to Mustache.render
. The object should be keyed by the name of the partial, and its value should be the partial text.
1Mustache.render(template, view, { 2 user: userTemplate 3});
Custom delimiters can be used in place of {{
and }}
by setting the new values in JavaScript or in templates.
The Mustache.tags
property holds an array consisting of the opening and closing tag values. Set custom values by passing a new array of tags to render()
, which gets honored over the default values, or by overriding the Mustache.tags
property itself:
1var customTags = [ '<%', '%>' ];
1Mustache.render(template, view, {}, customTags);
1Mustache.tags = customTags;
2// Subsequent parse() and render() calls will use customTags
Set Delimiter tags start with an equals sign and change the tag delimiters from {{
and }}
to custom strings.
Consider the following contrived example:
1* {{ default_tags }} 2{{=<% %>=}} 3* <% erb_style_tags %> 4<%={{ }}=%> 5* {{ default_tags_again }}
Here we have a list with three items. The first item uses the default tag style, the second uses ERB style as defined by the Set Delimiter tag, and the third returns to the default style after yet another Set Delimiter declaration.
According to ctemplates, this "is useful for languages like TeX, where double-braces may occur in the text and are awkward to use for markup."
Custom delimiters may not contain whitespace or the equals sign.
By default, when mustache.js first parses a template it keeps the full parsed token tree in a cache. The next time it sees that same template it skips the parsing step and renders the template much more quickly. If you'd like, you can do this ahead of time using mustache.parse
.
1Mustache.parse(template);
2
3// Then, sometime later.
4Mustache.render(template, view);
mustache.js is shipped with a Node.js based command line tool. It might be installed as a global tool on your computer to render a mustache template of some kind
1$ npm install -g mustache 2 3$ mustache dataView.json myTemplate.mustache > output.html
also supports stdin.
1$ cat dataView.json | mustache - myTemplate.mustache > output.html
or as a package.json devDependency
in a build process maybe?
1$ npm install mustache --save-dev
1{ 2 "scripts": { 3 "build": "mustache dataView.json myTemplate.mustache > public/output.html" 4 } 5}
1$ npm run build
The command line tool is basically a wrapper around Mustache.render
so you get all the features.
If your templates use partials you should pass paths to partials using -p
flag:
1$ mustache -p path/to/partial1.mustache -p path/to/partial2.mustache dataView.json myTemplate.mustache
mustache.js may be built specifically for several different client libraries, including the following:
These may be built using Rake and one of the following commands:
1$ rake jquery 2$ rake mootools 3$ rake dojo 4$ rake yui3 5$ rake qooxdoo
Since the source code of this package is written in JavaScript, we follow the TypeScript publishing docs preferred approach by having type definitions available via @types/mustache.
In order to run the tests you'll need to install Node.js.
You also need to install the sub module containing Mustache specifications in the project root.
1$ git submodule init 2$ git submodule update
Install dependencies.
1$ npm install
Then run the tests.
1$ npm test
The test suite consists of both unit and integration tests. If a template isn't rendering correctly for you, you can make a test for it by doing the following:
mytest.mustache
in the test/_files
directory. Replace mytest
with the name of your test.mytest.js
in the same directory.
This file should contain a JavaScript object literal enclosed in
parentheses. See any of the other view files for an example.mytest.txt
in the same
directory.Then, you can run the test with:
1$ TEST=mytest npm run test-render
Browser tests are not included in npm test
as they run for too long, although they are ran automatically on Travis when merged into master. Run browser tests locally in any browser:
1$ npm run test-browser-local
then point your browser to http://localhost:8080/__zuul
An updated list of mustache.js users is kept on the Github wiki. Add yourself or your company if you use mustache.js!
mustache.js is a mature project, but it continues to actively invite maintainers. You can help out a high-profile project that is used in a lot of places on the web. No big commitment required, if all you do is review a single Pull Request, you are a maintainer. And a hero.
mustache.js wouldn't kick ass if it weren't for these fine souls:
Stable Version
1
6.1/10
Summary
Cross-Site Scripting in mustache
Affected Versions
< 2.2.1
Patched Versions
2.2.1
1
0/10
Summary
Moderate severity vulnerability that affects mustache
Affected Versions
< 2.2.1
Patched Versions
2.2.1
Reason
no dangerous workflow patterns detected
Reason
no binaries found in the repo
Reason
license file detected
Details
Reason
Found 6/23 approved changesets -- score normalized to 2
Reason
detected GitHub workflow tokens with excessive permissions
Details
Reason
0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0
Reason
no effort to earn an OpenSSF best practices badge detected
Reason
dependency not pinned by hash detected -- score normalized to 0
Details
Reason
security policy file not detected
Details
Reason
project is not fuzzed
Details
Reason
branch protection not enabled on development/release branches
Details
Reason
SAST tool is not run on all commits -- score normalized to 0
Details
Reason
107 existing vulnerabilities detected
Details
Score
Last Scanned on 2024-12-16
The Open Source Security Foundation is a cross-industry collaboration to improve the security of open source software (OSS). The Scorecard provides security health metrics for open source projects.
Learn More