Gathering detailed insights and metrics for shell-quote
Gathering detailed insights and metrics for shell-quote
Installations
npm install shell-quoteReleases
Unable to fetch releases
Developer
ljharb
Developer Guide
BETA
Module System
CommonJS
Min. Node Version
>= 0.4
Typescript Support
No
Node Version
23.3.0
NPM Version
10.9.0
Statistics
28 Stars
204 Commits
10 Forks
4 Watching
2 Branches
17 Contributors
Updated on 27 Nov 2024
Bundle Size
2.53 kB
Minified
1.25 kB
Minified + Gzipped
Languages
JavaScript (100%)
Total Downloads
Cumulative downloads
Total Downloads
3,587,946,080
Last day
-7.6%
4,113,202
Compared to previous day
Last week
2.5%
24,030,487
Compared to previous week
Last month
11.1%
98,880,756
Compared to previous month
Last year
23.9%
983,406,155
Compared to previous year
Daily Downloads
Weekly Downloads
Monthly Downloads
Yearly Downloads
Versions
shell-quote 
Parse and quote shell commands.
example
quote
1var quote = require('shell-quote/quote'); 2var s = quote([ 'a', 'b c d', '$f', '"g"' ]); 3console.log(s);
output
a 'b c d' \$f '"g"'
parse
1var parse = require('shell-quote/parse'); 2var xs = parse('a "b c" \\$def \'it\\\'s great\''); 3console.dir(xs);
output
[ 'a', 'b c', '\\$def', 'it\'s great' ]
parse with an environment variable
1var parse = require('shell-quote/parse'); 2var xs = parse('beep --boop="$PWD"', { PWD: '/home/robot' }); 3console.dir(xs);
output
[ 'beep', '--boop=/home/robot' ]
parse with custom escape character
1var parse = require('shell-quote/parse'); 2var xs = parse('beep ^--boop="$PWD"', { PWD: '/home/robot' }, { escape: '^' }); 3console.dir(xs);
output
[ 'beep --boop=/home/robot' ]
parsing shell operators
1var parse = require('shell-quote/parse'); 2var xs = parse('beep || boop > /byte'); 3console.dir(xs);
output:
[ 'beep', { op: '||' }, 'boop', { op: '>' }, '/byte' ]
parsing shell comment
1var parse = require('shell-quote/parse'); 2var xs = parse('beep > boop # > kaboom'); 3console.dir(xs);
output:
[ 'beep', { op: '>' }, 'boop', { comment: '> kaboom' } ]
methods
1var quote = require('shell-quote/quote'); 2var parse = require('shell-quote/parse');
quote(args)
Return a quoted string for the array args suitable for using in shell
commands.
parse(cmd, env={})
Return an array of arguments from the quoted string cmd.
Interpolate embedded bash-style $VARNAME and ${VARNAME} variables with
the env object which like bash will replace undefined variables with "".
env is usually an object but it can also be a function to perform lookups.
When env(key) returns a string, its result will be output just like env[key]
would. When env(key) returns an object, it will be inserted into the result
array like the operator objects.
When a bash operator is encountered, the element in the array with be an object
with an "op" key set to the operator string. For example:
'beep || boop > /byte'
parses as:
[ 'beep', { op: '||' }, 'boop', { op: '>' }, '/byte' ]
install
With npm do:
npm install shell-quote
license
MIT
Stable Version
The latest stable version of the package.
Stable Version
1.8.2
CRITICAL
2
CRITICAL
9.8/10
Summary
Improper Neutralization of Special Elements used in a Command in Shell-quote
Affected Versions
<= 1.7.2
Patched Versions
1.7.3
CRITICAL
9.8/10
Summary
Potential Command Injection in shell-quote
Affected Versions
< 1.6.1
Patched Versions
1.6.1
Reason
security policy file detected
Details
- Info: security policy file detected: security.md:1
- Info: Found linked content: security.md:1
- Info: Found disclosure, vulnerability, and/or timelines in security policy: security.md:1
- Info: Found text in security policy: security.md:1
Reason
no dangerous workflow patterns detected
Reason
no binaries found in the repo
Reason
license file detected
Details
- Info: project has a license file: LICENSE:0
- Info: FSF or OSI recognized license: MIT License: LICENSE:0
Reason
0 existing vulnerabilities detected
Reason
Found 3/30 approved changesets -- score normalized to 1
Reason
0 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 0
Reason
dependency not pinned by hash detected -- score normalized to 0
Details
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/nodejs.yml:40: update your workflow using https://app.stepsecurity.io/secureworkflow/ljharb/shell-quote/nodejs.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/nodejs.yml:46: update your workflow using https://app.stepsecurity.io/secureworkflow/ljharb/shell-quote/nodejs.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/nodejs.yml:54: update your workflow using https://app.stepsecurity.io/secureworkflow/ljharb/shell-quote/nodejs.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/nodejs.yml:72: update your workflow using https://app.stepsecurity.io/secureworkflow/ljharb/shell-quote/nodejs.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/nodejs.yml:91: update your workflow using https://app.stepsecurity.io/secureworkflow/ljharb/shell-quote/nodejs.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/nodejs.yml:93: update your workflow using https://app.stepsecurity.io/secureworkflow/ljharb/shell-quote/nodejs.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/nodejs.yml:101: update your workflow using https://app.stepsecurity.io/secureworkflow/ljharb/shell-quote/nodejs.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/nodejs.yml:112: update your workflow using https://app.stepsecurity.io/secureworkflow/ljharb/shell-quote/nodejs.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/nodejs.yml:12: update your workflow using https://app.stepsecurity.io/secureworkflow/ljharb/shell-quote/nodejs.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/rebase.yml:19: update your workflow using https://app.stepsecurity.io/secureworkflow/ljharb/shell-quote/rebase.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/rebase.yml:20: update your workflow using https://app.stepsecurity.io/secureworkflow/ljharb/shell-quote/rebase.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/require-allow-edits.yml:18: update your workflow using https://app.stepsecurity.io/secureworkflow/ljharb/shell-quote/require-allow-edits.yml/main?enable=pin
- Info: 0 out of 5 GitHub-owned GitHubAction dependencies pinned
- Info: 0 out of 7 third-party GitHubAction dependencies pinned
Reason
detected GitHub workflow tokens with excessive permissions
Details
- Warn: jobLevel 'contents' permission set to 'write': .github/workflows/rebase.yml:11
- Info: jobLevel 'pull-requests' permission set to 'read': .github/workflows/rebase.yml:12
- Info: jobLevel 'pull-requests' permission set to 'read': .github/workflows/require-allow-edits.yml:11
- Info: topLevel 'contents' permission set to 'read': .github/workflows/node-aught.yml:6
- Info: topLevel 'contents' permission set to 'read': .github/workflows/node-pretest.yml:6
- Info: topLevel 'contents' permission set to 'read': .github/workflows/node-tens.yml:6
- Warn: no topLevel permission defined: .github/workflows/nodejs.yml:1
- Info: topLevel 'contents' permission set to 'read': .github/workflows/rebase.yml:6
- Info: topLevel 'contents' permission set to 'read': .github/workflows/require-allow-edits.yml:6
Reason
no effort to earn an OpenSSF best practices badge detected
Reason
project is not fuzzed
Details
- Warn: no fuzzer integrations found
Reason
SAST tool is not run on all commits -- score normalized to 0
Details
- Warn: 0 commits out of 3 are checked with a SAST tool
Score
4.6
/10
Last Scanned on 2024-11-18
The Open Source Security Foundation is a cross-industry collaboration to improve the security of open source software (OSS). The Scorecard provides security health metrics for open source projects.
Learn More