Gathering detailed insights and metrics for shell-quote
Gathering detailed insights and metrics for shell-quote
Installations
npm install shell-quoteDeveloper Guide
BETA
Typescript
No
Module System
CommonJS
Min. Node Version
>= 0.4
Node Version
24.1.0
NPM Version
11.3.0
Releases
Unable to fetch releases
Languages
1
JavaScript
JavaScript (100%)
Developer
ljharb
Download Statistics
Total Downloads
4,206,737,404
Last Day
1,409,077
Last Week
25,979,546
Last Month
112,428,031
Last Year
1,140,578,067
GitHub Statistics
MIT License
40 Stars
206 Commits
12 Forks
4 Watchers
2 Branches
18 Contributors
Updated on Jul 05, 2025
Bundle Size
2.53 kB
Minified
1.25 kB
Minified + Gzipped
Sponsor this package
Maintainers
4
Package Meta Information
Latest Version
1.8.3
Package Id
shell-quote@1.8.3
Unpacked Size
23.19 kB
Size
8.14 kB
File Count
18
NPM Version
11.3.0
Node Version
24.1.0
Published on
Jun 02, 2025
Total Downloads
Cumulative downloads
Total Downloads
4,206,737,404
shell-quote 
Parse and quote shell commands.
example
quote
1var quote = require('shell-quote/quote'); 2var s = quote([ 'a', 'b c d', '$f', '"g"' ]); 3console.log(s);
output
a 'b c d' \$f '"g"'
parse
1var parse = require('shell-quote/parse'); 2var xs = parse('a "b c" \\$def \'it\\\'s great\''); 3console.dir(xs);
output
[ 'a', 'b c', '\\$def', 'it\'s great' ]
parse with an environment variable
1var parse = require('shell-quote/parse'); 2var xs = parse('beep --boop="$PWD"', { PWD: '/home/robot' }); 3console.dir(xs);
output
[ 'beep', '--boop=/home/robot' ]
parse with custom escape character
1var parse = require('shell-quote/parse'); 2var xs = parse('beep ^--boop="$PWD"', { PWD: '/home/robot' }, { escape: '^' }); 3console.dir(xs);
output
[ 'beep --boop=/home/robot' ]
parsing shell operators
1var parse = require('shell-quote/parse'); 2var xs = parse('beep || boop > /byte'); 3console.dir(xs);
output:
[ 'beep', { op: '||' }, 'boop', { op: '>' }, '/byte' ]
parsing shell comment
1var parse = require('shell-quote/parse'); 2var xs = parse('beep > boop # > kaboom'); 3console.dir(xs);
output:
[ 'beep', { op: '>' }, 'boop', { comment: '> kaboom' } ]
methods
1var quote = require('shell-quote/quote'); 2var parse = require('shell-quote/parse');
quote(args)
Return a quoted string for the array args suitable for using in shell
commands.
parse(cmd, env={})
Return an array of arguments from the quoted string cmd.
Interpolate embedded bash-style $VARNAME and ${VARNAME} variables with
the env object which like bash will replace undefined variables with "".
env is usually an object but it can also be a function to perform lookups.
When env(key) returns a string, its result will be output just like env[key]
would. When env(key) returns an object, it will be inserted into the result
array like the operator objects.
When a bash operator is encountered, the element in the array with be an object
with an "op" key set to the operator string. For example:
'beep || boop > /byte'
parses as:
[ 'beep', { op: '||' }, 'boop', { op: '>' }, '/byte' ]
install
With npm do:
npm install shell-quote
license
MIT
Critical
9.8/10
Summary
Improper Neutralization of Special Elements used in a Command in Shell-quote
Affected Versions
<= 1.7.2
Patched Versions
1.7.3
Critical
9.8/10
Summary
Potential Command Injection in shell-quote
Affected Versions
< 1.6.1
Patched Versions
1.6.1
Reason
no binaries found in the repo
Reason
no dangerous workflow patterns detected
Reason
security policy file detected
Details
- Info: security policy file detected: security.md:1
- Info: Found linked content: security.md:1
- Info: Found disclosure, vulnerability, and/or timelines in security policy: security.md:1
- Info: Found text in security policy: security.md:1
Reason
0 existing vulnerabilities detected
Reason
license file detected
Details
- Info: project has a license file: LICENSE:0
- Info: FSF or OSI recognized license: MIT License: LICENSE:0
Reason
2 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 2
Reason
Found 4/30 approved changesets -- score normalized to 1
Reason
detected GitHub workflow tokens with excessive permissions
Details
- Warn: jobLevel 'contents' permission set to 'write': .github/workflows/rebase.yml:11
- Info: jobLevel 'pull-requests' permission set to 'read': .github/workflows/rebase.yml:12
- Info: jobLevel 'pull-requests' permission set to 'read': .github/workflows/require-allow-edits.yml:11
- Info: topLevel 'contents' permission set to 'read': .github/workflows/node-aught.yml:6
- Info: topLevel 'contents' permission set to 'read': .github/workflows/node-pretest.yml:6
- Info: topLevel 'contents' permission set to 'read': .github/workflows/node-tens.yml:6
- Info: topLevel 'contents' permission set to 'read': .github/workflows/node-twenties.yml:6
- Warn: no topLevel permission defined: .github/workflows/nodejs.yml:1
- Info: topLevel 'contents' permission set to 'read': .github/workflows/rebase.yml:6
- Info: topLevel 'contents' permission set to 'read': .github/workflows/require-allow-edits.yml:6
Reason
dependency not pinned by hash detected -- score normalized to 0
Details
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/nodejs.yml:40: update your workflow using https://app.stepsecurity.io/secureworkflow/ljharb/shell-quote/nodejs.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/nodejs.yml:46: update your workflow using https://app.stepsecurity.io/secureworkflow/ljharb/shell-quote/nodejs.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/nodejs.yml:54: update your workflow using https://app.stepsecurity.io/secureworkflow/ljharb/shell-quote/nodejs.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/nodejs.yml:72: update your workflow using https://app.stepsecurity.io/secureworkflow/ljharb/shell-quote/nodejs.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/nodejs.yml:91: update your workflow using https://app.stepsecurity.io/secureworkflow/ljharb/shell-quote/nodejs.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/nodejs.yml:93: update your workflow using https://app.stepsecurity.io/secureworkflow/ljharb/shell-quote/nodejs.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/nodejs.yml:101: update your workflow using https://app.stepsecurity.io/secureworkflow/ljharb/shell-quote/nodejs.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/nodejs.yml:112: update your workflow using https://app.stepsecurity.io/secureworkflow/ljharb/shell-quote/nodejs.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/nodejs.yml:12: update your workflow using https://app.stepsecurity.io/secureworkflow/ljharb/shell-quote/nodejs.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/rebase.yml:19: update your workflow using https://app.stepsecurity.io/secureworkflow/ljharb/shell-quote/rebase.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/rebase.yml:20: update your workflow using https://app.stepsecurity.io/secureworkflow/ljharb/shell-quote/rebase.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/require-allow-edits.yml:18: update your workflow using https://app.stepsecurity.io/secureworkflow/ljharb/shell-quote/require-allow-edits.yml/main?enable=pin
- Info: 0 out of 5 GitHub-owned GitHubAction dependencies pinned
- Info: 0 out of 7 third-party GitHubAction dependencies pinned
Reason
no effort to earn an OpenSSF best practices badge detected
Reason
project is not fuzzed
Details
- Warn: no fuzzer integrations found
Reason
SAST tool is not run on all commits -- score normalized to 0
Details
- Warn: 0 commits out of 4 are checked with a SAST tool
Score
4.8
/10
Last Scanned on 2025-06-30
The Open Source Security Foundation is a cross-industry collaboration to improve the security of open source software (OSS). The Scorecard provides security health metrics for open source projects.
Learn More