npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2025 – Pkg Stats / Ryan Hefner

linvail

v7.7.8

Published

Provenancial Equality for JavaScript

Downloads

1,464

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

lachristlachrist

Keywords

Data ProvenanceInstrumentationTaint AnalysisDynamic Program AnalsysisMembraneControl Access SystemProxyAran

Readme

Linvail

Linvail is a npm module which provides provenancial equality to JavaScript.

As many other languages, JavaScript supports two kinds of equality: structural equality which compares values based on their content and referential equality which compare value based on their memory location. Provenancial equality goes a step further and compares values based on their provenance. Provenancial equality can be seen as a stricter version of referential equality which is itself a stricter version of structural equality. In other words, the following implication holds:

(x eq_prov y) => (x eq_ref y) => (x eq_struct y)

demo

Provenancial equality forms the foundation for advanced dynamic program analyses, such as taint analysis and concolic testing.

Basic Usage in Node

// main.mjs
import { is } from "linvail/library";
const foo1 = 123;
const foo2 = 123;
const bar = 456;
const array = [bar, foo1];
array.sort();
console.log(array[0]); // 123
console.log(array[1]); // 456
console.log(is(array[0], foo1)); // true
console.log(is(array[0], foo2)); // false
> npm install linvail
> npx linvail main.mjs
123
456
true
false

Convenience CLI

Configuration options can be passed to the CLI using environment variables:

  • LINVAIL_INCLUDE: A comma-separated list of globs to designate the files where data povenance should be tracked. Default: "**/*".
  • LINVAIL_EXCLUDE: A comma-separated list of globs to designate the files where data provenance should not be tracked; takes precedence over LINVAIL_INCLUDE. Default: "node_modules/**/*".
  • LINVAIL_GLOBAL_OBJECT: Defines whether data provenance should be tracked across the global object and the global declarative record. Default: "external".
    • "external": Leave the global object and the global declarative record intact.
    • "internal": Replace the global object and the global declarative record with new objects that can track data provenance.
  • LINVAIL_GLOBAL_DYNAMIC_CODE: Defines whether data provenance should be tracked across global dynamic code. Note that data provenance is always tracked across local dynamic code (i.e.: strings passed to direct eval calls). Default: "internal".
  • LINVAIL_COUNT: Defines whether tracked primitive values should embed a hidden __index property which can only be observed when passing values to Linvail.dir. Default: false.

Convenience API

types

  • is(value1, value2): Provenancial equality.
  • dir(value): Bypass the access control system and log the value to the console.
  • Set, Map, WeakSet, and WeakMap: Similar to their standard counter part but keys are compared using provenancial equality.
    import { Set } from "linvail/library";
const foo = 123;
const set = new Set([foo]);
console.log(set.has(foo)); // true
console.log(set.has(123)); // false

Core Usage

For more advanced use cases, the core API must be used. Reasons to use the core interface over the convenience interface include:

  • Dynamic program analysis based on provenancial equality; the target program does not import the linvail library.
  • Using a runtime other than Node.
  • Overcoming limitations of the convenience interface.

demo repo

// main.mjs
import { generate } from "astring";
import { parse } from "acorn";
import { setupile, transpile, retropile } from "aran";
import { createRuntime, weave } from "linvail";

const {
  eval: evalGlobal,
  console: { log, dir },
  Reflect: { defineProperty },
} = globalThis;

const advice_global_variable = "__LINVAIL_ADVICE__";

const intrinsics = evalGlobal(generate(setupile()));

const { advice, library } = createRuntime(intrinsics, { dir });

defineProperty(globalThis, advice_global_variable, {
  __proto__: null,
  value: advice,
  writable: false,
  enumerable: false,
  configurable: false,
});

const code = `(({ is }) => {
  const foo1 = 123;
  const foo2 = 123;
  return is(foo1, foo1) && !is(foo1, foo2);
});`;

const main = evalGlobal(
  generate(
    retropile(
      weave(
        transpile({
          path: "dynamic://eval/global",
          kind: "eval",
          situ: { type: "global" },
          root: parse(code, { ecmaVersion: "latest" }),
        }),
        { advice_global_variable },
      ),
    ),
  ),
);

log(main(library)); // true
> npm instal acorn astring aran linvail
> node main.mjs
true

Core API

domain

  • linvail/runtime
    • setupRuntime(intrinsics, options): Setup Linvail's runtime.
      • intrinsics: An object containing intrinsic values provided by evaluating code generated by aran.setupile.
      • options: A configuration object.
        • dir: A function used to log values to the console.
      • Returns an advice object which should be made available as a global variable.
    • createRuntime(intrinsics, options) Same as setupRuntime but returns an object containing both the advice and the library which should exposed to the instrumented code.
    • toStandardAdvice(advice): Convert a custom Linvail advice into a standard Aran, allowing aran.weaveStandard to replace linvail.weave.
    • standard_pointcut: Standard Aran pointcut that should be provided to aran.weaveStandard.
  • linvail/instrument
    • weave(node, options): Instrument AranLang programs, the output expects a global variable holding a Linvail advice object.
      • node: An AranLang program node.
      • options: A configuration object.
        • advice_global_variable: The name of the global variable containing the Linvail advice object.