Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Security News
Sarah Gooding
September 11, 2024
Cloudflare is expanding Node.js compatibility for Workers and its JAMstack Pages platform with a major update combining polyfills and native code. This opens access to more Node.js APIs and platform-specific features, making it possible for developers to use more npm packages.
Traditionally, running npm packages in environments like Cloudflare Workers has been challenging due to missing APIs and dependencies that are built with only Node.js in mind.
Using the v2 compatibility flag in their wrangler.toml
files, developers who are writing Workers can now unlock some of the most commonly used libraries that enable more complex applications and seamless integration with popular backend services:
Packages that could not be imported with nodejs_compat, even as a dependency of another package, will now load. This includes popular packages such as body-parser, jsonwebtoken, pg, got, passport, md5, mongodb, knex, mailparser, csv-stringify, cookie-signature, stream-slice, and many more.
Cloudflare plans to roll this out as the default behavior for all Workers with the existing nodejs_compat compatibility flag enabled plus a compatibility date of 2024-09-23 or later.
Although Workers have had polyfill support since 2021, Cloudflare acknowledged that many modules cannot be polyfilled with fast enough code or cannot be polyfilled at all. This update expands native support for some Node.js APIs in the Workers runtime through what Cloudflare identified as a hybrid approach:
This approach lifts limitations that were previously roadblocks for using many npm packages. The announcement cites several examples how developers can use module aliasing in cases were an npm package relies on a Node.js API that isn’t yet implemented in the Workers runtime or as a polyfill.
Cloudflare’s popular serverless platform is used by more than one million developers for creating applications without having to manage the infrastructure behind it. Workers are an important part of Cloudflare’s ecosystem, which handles around 20% of all internet traffic across its global network.
This compatibility update strengthens integration with the Node.js ecosystem, allowing developers to work with a broader array of libraries in serverless environments. It streamlines development processes for those migrating from traditional Node.js environments and positions Cloudflare as a more versatile platform in competition with other serverless providers.
This could lead to greater adoption of serverless technologies for a broader range of applications, allowing developers to take advantage of the performance and scalability benefits of edge computing without having to manually modify or refactor npm libraries for compatibility.
It also opens the door for npm packages to be more widely utilized in a serverless context, broadening the ecosystem's reach. Cloudflare’s approach of combining polyfills and native code is a strategic move that could impact how developers think about serverless architecture, as they now have access to more tools while writing less platform-specific code.
Subscribe to our newsletter
Get notified when we publish new security blog posts!
Try it now
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.