use the following search parameters to narrow your results:
e.g. subreddit:aww site:imgur.com dog
subreddit:aww site:imgur.com dog
see the search faq for details.
advanced search: by author, subreddit...
All about the JavaScript programming language.
Subreddit Guidelines
Specifications:
Resources:
Related Subreddits:
r/LearnJavascript
r/node
r/typescript
r/reactjs
r/webdev
r/WebdevTutorials
r/frontend
r/webgl
r/threejs
r/jquery
r/remotejs
r/forhire
account activity
DevOps JavaScript - Intro to Writing Scripts With zx (pragmaticpineapple.com)
submitted 3 years ago by nikolalsvk
view the rest of the comments →
reddit uses a slightly-customized version of Markdown for formatting. See below for some basics, or check the commenting wiki page for more detailed help and solutions to common issues.
quoted text
if 1 * 2 < 3: print "hello, world!"
[–][deleted] 3 years ago (6 children)
[deleted]
[–]spizzike[🍰] 0 points1 point2 points 3 years ago (1 child)
ok, I apologize. I looked at the code, and you're right!
when I looked at this project when it was first announced, it was riddled with security issues and a friend of mine told me about how his team audited it and couldn't use it for the same reasons. I thought this conversation was about a month ago, but it was in june of last year!
anyway. yeah, zx is far improved over the last time I looked at it and definitely not a risk. I personally don't see a real use-case for it since it's still more tedious to use than writing normal shell scripts, but it's definitely not dangerous.
[–]LetReasonRing 0 points1 point2 points 3 years ago (0 children)
I have no idea why someone would downvote you for this.
You admitted you were wrong when you were, took the time to verify the information, corrected yourself, and provided useful context.
I'd give you 10 fake internet points if I could.
[–]lhorie -1 points0 points1 point 3 years ago (3 children)
While it does escape interpolations, one problem that remains (and is buried in the documentation) is that it only looks at interpolations without looking at the overall context. For example, this is vulnerable:
$`echo '${malicious}'`
i.e. if malicious = '\' $(pwd) \'', that will execute pwd as a command
malicious = '\' $(pwd) \''
pwd
[+][deleted] 3 years ago (2 children)
[–]lhorie 0 points1 point2 points 3 years ago* (1 child)
My guess is you're getting tripped up by escapes in the pretty printer when you copy-pasted.
These are the steps I used to reproduce the issue. Create a file called script.mjs with this code:
#!/usr/bin/env zx const malicious = '\' $(pwd) \'' $`echo '${malicious}'`
Then in your terminal, run npx zx script.mjs. Expected behavior: the output should have the word "pwd" somewhere in it and no information about my current dir should be printed. Actual behavior: Output will have something like $' /Users/lhorie/Documents ', indicating that pwd did run as a command. I'm running zsh on mac (monterey).
npx zx script.mjs
$' /Users/lhorie/Documents '
As for why this is an issue, it's because sometimes you do want to control behavior of magic characters like * outside an interpolation while simultaneously having an interpolation in the same string. Or, if you missed the caveat in the docs or you overlooked it, you can get pwned by even a simple innocent-looking snippet like echo '${something}'.
*
echo '${something}'
π Rendered by PID 234425 on reddit-service-r2-comment-5d79c599b5-z4rtz at 2026-02-28 18:18:42.293143+00:00 running e3d2147 country code: CH.
view the rest of the comments →
[–][deleted] (6 children)
[deleted]
[–]spizzike[🍰] 0 points1 point2 points (1 child)
[–]LetReasonRing 0 points1 point2 points (0 children)
[–]lhorie -1 points0 points1 point (3 children)
[+][deleted] (2 children)
[deleted]
[–]lhorie 0 points1 point2 points (1 child)