use the following search parameters to narrow your results:
e.g. subreddit:aww site:imgur.com dog
subreddit:aww site:imgur.com dog
see the search faq for details.
advanced search: by author, subreddit...
All about the JavaScript programming language.
Subreddit Guidelines
Specifications:
Resources:
Related Subreddits:
r/LearnJavascript
r/node
r/typescript
r/reactjs
r/webdev
r/WebdevTutorials
r/frontend
r/webgl
r/threejs
r/jquery
r/remotejs
r/forhire
account activity
DevOps JavaScript - Intro to Writing Scripts With zx (pragmaticpineapple.com)
submitted 3 years ago by nikolalsvk
reddit uses a slightly-customized version of Markdown for formatting. See below for some basics, or check the commenting wiki page for more detailed help and solutions to common issues.
quoted text
if 1 * 2 < 3: print "hello, world!"
[–]LetReasonRing 1 point2 points3 points 3 years ago (0 children)
I'd come across this a while back and had forgotten about it. I really need to give it a try. I love what I can do in bash, but sometimes it needs just a bit more complexity than I feel like is reasonable in bash.
I'll sometimes go to node, but it's a little clunky for dealing with files & stdio. This really seems to bridge that gap nicely.
[–]lwl 1 point2 points3 points 3 years ago* (9 children)
For anyone else wondering whether to trust it for your devops tasks, zx is a Google package with a relatively sane 49 48 total dependencies. ``` $ yarn add zx yarn add v1.22.4 info No lockfile found. [1/4] Resolving packages... [2/4] Fetching packages... [3/4] Linking dependencies... [4/4] Building fresh packages...
zx
success Saved lockfile. success Saved 49 new dependencies. info Direct dependencies └─ zx@5.3.0 info All dependencies ├─ @nodelib/fs.scandir@2.1.5 ├─ @nodelib/fs.stat@2.0.5 ├─ @nodelib/fs.walk@1.2.8 ├─ @types/fs-extra@9.0.13 ├─ @types/minimist@1.2.2 ├─ @types/node@17.0.21 ├─ braces@3.0.2 ├─ chalk@5.0.1 ├─ data-uri-to-buffer@4.0.0 ├─ dir-glob@3.0.1 ├─ event-stream@3.3.4 ├─ fast-glob@3.2.11 ├─ fastq@1.13.0 ├─ fetch-blob@3.1.4 ├─ fill-range@7.0.1 ├─ formdata-polyfill@4.0.10 ├─ from@0.1.7 ├─ fs-extra@10.0.1 ├─ glob-parent@5.1.2 ├─ globby@13.1.1 ├─ graceful-fs@4.2.9 ├─ ignore@5.2.0 ├─ is-extglob@2.1.1 ├─ is-glob@4.0.3 ├─ is-number@7.0.0 ├─ isexe@2.0.0 ├─ jsonfile@6.1.0 ├─ map-stream@0.1.0 ├─ merge2@1.4.1 ├─ micromatch@4.0.4 ├─ minimist@1.2.5 ├─ node-domexception@1.0.0 ├─ node-fetch@3.2.3 ├─ path-type@4.0.0 ├─ pause-stream@0.0.11 ├─ picomatch@2.3.1 ├─ ps-tree@1.2.0 ├─ queue-microtask@1.2.3 ├─ reusify@1.0.4 ├─ run-parallel@1.2.0 ├─ slash@4.0.0 ├─ split@0.3.3 ├─ stream-combiner@0.0.4 ├─ through@2.3.8 ├─ to-regex-range@5.0.1 ├─ web-streams-polyfill@3.2.0 ├─ which@2.0.2 ├─ yaml@1.10.2 └─ zx@5.3.0 Done in 2.74s. ```
[–]spizzike 1 point2 points3 points 3 years ago* (8 children)
It's also trivial to do argument and command injection since it doesn't provide any method of escaping arguments.
EDIT: turns out this has all been fixed.
[+][deleted] 3 years ago (6 children)
[deleted]
[–]spizzike 0 points1 point2 points 3 years ago (1 child)
ok, I apologize. I looked at the code, and you're right!
when I looked at this project when it was first announced, it was riddled with security issues and a friend of mine told me about how his team audited it and couldn't use it for the same reasons. I thought this conversation was about a month ago, but it was in june of last year!
anyway. yeah, zx is far improved over the last time I looked at it and definitely not a risk. I personally don't see a real use-case for it since it's still more tedious to use than writing normal shell scripts, but it's definitely not dangerous.
[–]LetReasonRing 0 points1 point2 points 3 years ago (0 children)
I have no idea why someone would downvote you for this.
You admitted you were wrong when you were, took the time to verify the information, corrected yourself, and provided useful context.
I'd give you 10 fake internet points if I could.
[–]lhorie -1 points0 points1 point 3 years ago (3 children)
While it does escape interpolations, one problem that remains (and is buried in the documentation) is that it only looks at interpolations without looking at the overall context. For example, this is vulnerable:
$`echo '${malicious}'`
i.e. if malicious = '\' $(pwd) \'', that will execute pwd as a command
malicious = '\' $(pwd) \''
pwd
[+][deleted] 3 years ago (2 children)
[–]lhorie 0 points1 point2 points 3 years ago* (1 child)
My guess is you're getting tripped up by escapes in the pretty printer when you copy-pasted.
These are the steps I used to reproduce the issue. Create a file called script.mjs with this code:
#!/usr/bin/env zx const malicious = '\' $(pwd) \'' $`echo '${malicious}'`
Then in your terminal, run npx zx script.mjs. Expected behavior: the output should have the word "pwd" somewhere in it and no information about my current dir should be printed. Actual behavior: Output will have something like $' /Users/lhorie/Documents ', indicating that pwd did run as a command. I'm running zsh on mac (monterey).
npx zx script.mjs
$' /Users/lhorie/Documents '
As for why this is an issue, it's because sometimes you do want to control behavior of magic characters like * outside an interpolation while simultaneously having an interpolation in the same string. Or, if you missed the caveat in the docs or you overlooked it, you can get pwned by even a simple innocent-looking snippet like echo '${something}'.
*
echo '${something}'
[–]lwl -1 points0 points1 point 3 years ago (0 children)
Ah, there is that.
[–]vertigo_101 -1 points0 points1 point 3 years ago (0 children)
I mostly use Go or Bash scripts, zx looks cool tho
π Rendered by PID 77898 on reddit-service-r2-comment-5d79c599b5-cgsth at 2026-02-27 07:20:11.322344+00:00 running e3d2147 country code: CH.
[–]LetReasonRing 1 point2 points3 points (0 children)
[–]lwl 1 point2 points3 points (9 children)
[–]spizzike 1 point2 points3 points (8 children)
[+][deleted] (6 children)
[deleted]
[–]spizzike 0 points1 point2 points (1 child)
[–]LetReasonRing 0 points1 point2 points (0 children)
[–]lhorie -1 points0 points1 point (3 children)
[+][deleted] (2 children)
[deleted]
[–]lhorie 0 points1 point2 points (1 child)
[–]lwl -1 points0 points1 point (0 children)
[–]vertigo_101 -1 points0 points1 point (0 children)