yq is a portable command-line YAML, JSON, XML, CSV, TOML and properties processor
Go to file
Peter Matseykanets dd259b4957 Make deepMatch report in linear time
The current implementation of the deepMatch() has the exponential runtime.
Given the long enough input and the pattern with multiple wildcards
it takes a while if ever to complete which can potentially be used
maliciously to cause a denial of service (cpu and memory consumption).

E.g. running this in the root of this repository
time yq eval '.jobs.publishDocker.steps.[] | select (.run == "****outputs")' .github/workflows/release.yml
gives on my laptop
25.11s user 0.06s system 99% cpu 25.182 total

Whereas the updated implementation gives
0.01s user 0.01s system 36% cpu 0.049 total

There are numerous similar CVEs reported for glob evaluation in
different shells/ftp-servers/libraries.

The replacement implementation with the linear runtime is shamelessly taken
verbatim from the briliant article by Russ Cox https://research.swtch.com/glob
2021-10-14 18:45:25 +11:00
.github bad github action now fails properly 2021-07-24 15:07:05 +10:00
acceptance_tests Fixed merge comment issue #919 2021-08-26 16:31:26 +10:00
cmd Bump version 2021-10-11 14:50:17 +11:00
debian Skip the tests if the nocheck Debian build option is specified 2021-10-07 13:44:16 +11:00
examples Added with operator 2021-09-12 21:52:02 +10:00
github-action Bump version 2021-10-11 14:50:17 +11:00
pkg/yqlib Make deepMatch report in linear time 2021-10-14 18:45:25 +11:00
scripts Updating to go 1.17 to fix CVE #944 2021-10-02 15:12:57 +10:00
snap Bump version 2021-10-11 14:50:17 +11:00
test Revert usage of filepath.Clean (azure compatability issues) 2021-07-08 10:26:35 +10:00
.dockerignore Added gosec 2021-03-03 19:44:34 +11:00
.gitignore wip 2021-07-19 19:52:51 +10:00
action.yml outputs support in the action 2021-06-09 08:49:04 +10:00
CODE_OF_CONDUCT.md Create CODE_OF_CONDUCT.md 2020-02-21 21:13:14 +11:00
CONTRIBUTING.md Update CONTRIBUTING.md 2020-02-21 21:16:47 +11:00
Dockerfile Updating to go 1.17 to fix CVE #944 2021-10-02 15:12:57 +10:00
Dockerfile.dev Updating to go 1.17 to fix CVE #944 2021-10-02 15:12:57 +10:00
go.mod Updating to go 1.17 to fix CVE #944 2021-10-02 15:12:57 +10:00
go.sum Properties encoder wip 2021-07-25 11:43:51 +10:00
LICENSE Added License (MIT) 2017-02-10 16:00:25 +11:00
Makefile cannot run gosec on all docker platforms, removing for now 2021-03-19 13:21:07 +11:00
Makefile.variables Rename to yq 2017-12-18 15:29:41 +11:00
mkdocs.yml Removed user docs 2020-01-30 10:32:34 +11:00
README.md Update README with recently added / changed options 2021-10-14 18:40:58 +11:00
release_instructions.txt Bumping version 2021-09-05 11:11:51 +10:00
release_notes.txt Bump version 2021-10-11 14:50:17 +11:00
yq.go first cli 2020-10-27 16:45:16 +11:00

yq

Build Docker Pulls Github Releases (by Release) Go Report

a lightweight and portable command-line YAML processor. yq uses jq like syntax but works with yaml files as well as json. It doesn't yet support everything jq does - but it does support the most common operations and functions, and more is being added continuously.

yq is written in go - so you can download a dependency free binary for your platform and you are good to go! If you prefer there are a variety of package managers that can be used as well as docker, all listed below.

Quick Usage Guide

Read a value:

yq e '.a.b[0].c' file.yaml

Pipe from STDIN:

cat file.yaml | yq e '.a.b[0].c' -

Update a yaml file, inplace

yq e -i '.a.b[0].c = "cool"' file.yaml

Update using environment variables

NAME=mike yq e -i '.a.b[0].c = strenv(NAME)' file.yaml

Merge multiple files

yq ea '. as $item ireduce ({}; . * $item )' path/to/*.yml

Multiple updates to a yaml file

yq e -i '
  .a.b[0].c = "cool" |
  .x.y.z = "foobar" |
  .person.name = strenv(NAME)
' file.yaml

See the documentation for more.

Install

Download the latest binary

wget

Use wget to download the pre-compiled binaries:

Compressed via tar.gz

wget https://github.com/mikefarah/yq/releases/download/${VERSION}/${BINARY}.tar.gz -O - |\
  tar xz && mv ${BINARY} /usr/bin/yq

Plain binary

wget https://github.com/mikefarah/yq/releases/download/${VERSION}/${BINARY} -O /usr/bin/yq &&\
    chmod +x /usr/bin/yq

For instance, VERSION=v4.2.0 and BINARY=yq_linux_amd64

MacOS / Linux via Homebrew:

Using Homebrew

brew install yq

or, for the (deprecated) v3 version:

brew install yq@3

Note that for v3, as it is a versioned brew it will not add the yq command to your path automatically. Please follow the instructions given by brew upon installation.

Linux via snap:

snap install yq

or, for the (deprecated) v3 version:

snap install yq --channel=v3/stable

Snap notes

yq installs with strict confinement in snap, this means it doesn't have direct access to root files. To read root files you can:

sudo cat /etc/myfile | yq e '.a.path' - 

And to write to a root file you can either use sponge:

sudo cat /etc/myfile | yq e '.a.path = "value"' - | sudo sponge /etc/myfile

or write to a temporary file:

sudo cat /etc/myfile | yq e '.a.path = "value"' | sudo tee /etc/myfile.tmp
sudo mv /etc/myfile.tmp /etc/myfile
rm /etc/myfile.tmp

Run with Docker

Oneshot use:

docker run --rm -v "${PWD}":/workdir mikefarah/yq <command> [flags] [expression ]FILE...

Pipe in via STDIN:

You'll need to pass the -i\--interactive flag to docker:

cat myfile.yml | docker run -i --rm mikefarah/yq e . -

Run commands interactively:

docker run --rm -it -v "${PWD}":/workdir --entrypoint sh mikefarah/yq

It can be useful to have a bash function to avoid typing the whole docker command:

yq() {
  docker run --rm -i -v "${PWD}":/workdir mikefarah/yq "$@"
}

Running as root:

yq's docker image no longer runs under root (https://github.com/mikefarah/yq/pull/860). If you'd like to install more things in the docker image, or you're having permissions issues when attempting to read/write files you'll need to either:

docker run --user="root" -it --entrypoint sh mikefarah/yq

Or, in your docker file:

FROM mikefarah/yq

USER root
RUN apk add bash
USER yq

GitHub Action

  - name: Set foobar to cool
    uses: mikefarah/yq@master
    with:
      cmd: yq eval -i '.foo.bar = "cool"' 'config.yml'

See https://mikefarah.gitbook.io/yq/usage/github-action for more.

Go Get:

GO111MODULE=on go get github.com/mikefarah/yq/v4

Community Supported Installation methods

As these are supported by the community ❤️ - however, they may be out of date with the officially supported releases.

Webi

webi yq

See webi Supported by @adithyasunil26 (https://github.com/webinstall/webi-installers/tree/master/yq)

Windows:

Chocolatey Chocolatey

choco install yq

Supported by @chillum (https://chocolatey.org/packages/yq)

Mac:

Using MacPorts

sudo port selfupdate
sudo port install yq

Supported by @herbygillot (https://ports.macports.org/maintainer/github/herbygillot)

Alpine Linux

  • Enable edge/community repo by adding $MIRROR/alpine/edge/community to /etc/apk/repositories
  • Update database index with apk update
  • Install yq with apk add yq

Supported by Tuan Hoang https://pkgs.alpinelinux.org/package/edge/community/x86/yq

On Ubuntu 16.04 or higher from Debian package:

sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys CC86BB64
sudo add-apt-repository ppa:rmescandon/yq
sudo apt update
sudo apt install yq -y

Supported by @rmescandon (https://launchpad.net/~rmescandon/+archive/ubuntu/yq)

Features

Usage

Check out the documentation for more detailed and advanced usage.

Usage:
  yq [flags]
  yq [command]

Available Commands:
  eval             Apply the expression to each document in each yaml file in sequence
  eval-all         Loads _all_ yaml documents of _all_ yaml files and runs expression once
  help             Help about any command
  shell-completion Generate completion script

Flags:
  -C, --colors                force print with colors
  -e, --exit-status           set exit status if there are no matches or null or false is returned
  -f, --front-matter string   (extract|process) first input as yaml front-matter. Extract will pull out the yaml content, process will run the expression against the yaml content, leaving the remaining data intact
      --header-preprocess     Slurp any header comments and seperators before processing expression. This is a workaround for go-yaml to persist header content. This flag will be removed once this feature has been out in the wild for a while. (default true)
  -h, --help                  help for yq
  -I, --indent int            sets indent level for output (default 2)
  -i, --inplace               update the yaml file inplace of first yaml file given.
  -M, --no-colors             force print with no colors
  -N, --no-doc                Don't print document separators (---)
  -n, --null-input            Don't read input, simply evaluate the expression given. Useful for creating yaml docs from scratch.
  -o, --output-format string  [yaml|y|json|j|props|p] output format type. (default "yaml")
  -P, --prettyPrint           pretty print, shorthand for '... style = ""'
      --unwrapScalar          unwrap scalar, print the value with no quotes, colors or comments (default true)
  -v, --verbose               verbose mode
  -V, --version               Print version information and quit

Use "yq [command] --help" for more information about a command.

Known Issues / Missing Features

See tips and tricks for more common problems and solutions.