{"id":12969,"library":"coa","title":"COA Command-Line Option Parser","description":"COA (Command-Option-Argument) is a parser for command-line options in Node.js applications, currently stable at version 2.0.2. It distinguishes itself by aiming to maximize utility from formalizing a program's API, automatically generating comprehensive command-line help text, enabling its use as modules, and providing shell completion out of the box. Key features include support for rich option and argument types such as arrays, boolean flags, and required values. It also facilitates asynchronous command actions using promises (historically powered by the `Q` library) and allows for easy submoduling of commands. The package supports combined validation and complex parsing of values. While robust in its design, the project has seen very infrequent updates, with the last legitimate release being in December 2018. Its development has been largely inactive for several years, leading to a critical security incident in 2021.","status":"maintenance","version":"2.0.2","language":"javascript","source_language":"en","source_url":"git://github.com/veged/coa","tags":["javascript","typescript"],"install":[{"cmd":"npm install coa","lang":"bash","label":"npm"},{"cmd":"yarn add coa","lang":"bash","label":"yarn"},{"cmd":"pnpm add coa","lang":"bash","label":"pnpm"}],"dependencies":[],"imports":[{"note":"The primary entry point is the `Cmd` factory function. `require('coa').Cmd` is also valid for CommonJS.","wrong":"const Cmd = require('coa').Cmd;","symbol":"Cmd","correct":"import { Cmd } from 'coa';"},{"note":"Type import for `CoaInstance` for use with TypeScript.","symbol":"CoaInstance","correct":"import type { CoaInstance } from 'coa';"},{"note":"For CommonJS, the entire module can be required, and `coa.Cmd()` is then used. It does not provide a default export for ESM.","wrong":"import coa from 'coa';","symbol":"coa","correct":"const coa = require('coa');"}],"quickstart":{"code":"import { Cmd } from 'coa';\n\ninterface MyOptions {\n  version?: boolean;\n  input?: string;\n  verbose?: boolean;\n}\n\nasync function main() {\n  const coa = Cmd<MyOptions>()\n    .name(process.argv[1])\n    .title('My Awesome CLI Tool')\n    .helpful()\n    .opt()\n      .name('version')\n      .title('Show version')\n      .short('v')\n      .long('version')\n      .flag()\n      .act((opts) => {\n        if (opts.version) {\n          console.log('1.0.0');\n          process.exit(0);\n        }\n      })\n    .end()\n    .opt()\n      .name('input')\n      .title('Input file path')\n      .short('i')\n      .long('input')\n      .req()\n      .val((v) => {\n        if (!v || typeof v !== 'string') {\n          throw new Error('Input file path is required.');\n        }\n        return v;\n      })\n    .end()\n    .opt()\n      .name('verbose')\n      .title('Enable verbose logging')\n      .long('verbose')\n      .flag()\n    .end()\n    .act(async (opts, args) => {\n      console.log('Options:', opts);\n      console.log('Arguments:', args);\n      if (opts.verbose) {\n        console.log('Verbose mode enabled.');\n      }\n      console.log(`Processing input file: ${opts.input}`);\n      // Simulate some async work\n      await new Promise(resolve => setTimeout(resolve, 500));\n      console.log('Done!');\n    });\n\n  try {\n    await coa.run(process.argv.slice(2));\n  } catch (err: any) {\n    console.error('Error:', err.message);\n    process.exit(1);\n  }\n}\n\nmain();\n","lang":"typescript","description":"This quickstart demonstrates defining a CLI with options, validations, and an action, and then running it."},"warnings":[{"fix":"Immediately downgrade `coa` to version 2.0.2. Any system that installed or ran affected versions should be considered fully compromised. Audit systems for suspicious activity, remove `compile.js`, `compile.bat`, or `sdd.dll` files, and rotate all secrets and keys from an uncompromised machine.","message":"Supply chain attack: In November 2021, versions 2.0.3 and higher of `coa` were compromised due to a maintainer account takeover. These malicious versions contained credential-stealing malware that could fully compromise systems upon installation.","severity":"breaking","affected_versions":">=2.0.3"},{"fix":"For new projects, consider more actively maintained command-line parsing libraries. For existing projects, be aware of the lack of ongoing support and evaluate security implications carefully.","message":"`coa` is largely unmaintained. The last legitimate release (v2.0.2) was in December 2018. While functional, new features, modern ESM support, or active bug fixes should not be expected.","severity":"gotcha","affected_versions":"*"}],"env_vars":null,"last_verified":"2026-04-19T00:00:00.000Z","next_check":"2026-07-18T00:00:00.000Z","problems":[{"fix":"Ensure all command-line options your application expects are properly defined in your `coa` command structure. COA validates options against its defined schema.","cause":"Attempting to use a command-line option that has not been explicitly defined using `.opt().name('optionName')` in the COA configuration.","error":"Error: Unknown option '--some-undefined-option'"},{"fix":"Provide the required option value when running the command. For example, if '-i' is required, run `your-cli -i path/to/file.txt`.","cause":"An option was marked as `.req()` (required), but its value was not provided on the command line.","error":"Error: Input file path is required."}],"ecosystem":"npm","meta_description":null,"install_score":null,"install_tag":null,"quickstart_score":null,"quickstart_tag":null,"pypi_latest":null,"cli_name":""}