Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Security News
Sarah Gooding
October 10, 2024
Deno, the modern JavaScript and TypeScript runtime created by Ryan Dahl and the Deno team, has officially launched version 2.0, four years after the initial 1.0 version. This latest release brings major improvements to package management and performance, positioning Deno as a more robust and efficient alternative to traditional runtimes like Node.js.
Deno 2 is considered to be very stable and production ready. This release makes Deno suitable for more use cases as it’s now fully backwards compatible with Node.js and npm. It allows developers to run existing Node applications seamlessly within Deno, opening up access to over 2 million npm modules, thanks to the ability to import npm packages via the npm:
specifier.
With native support for package.json
and node_modules
, it’s now easy to migrate exiting Node projects using ESM.
The compatibility extends to complex packages and even supports Node-API native addons. Deno users can also expect compatibility with popular JavaScript frameworks such as Next.js, Astro, Remix, Angular, SvelteKit, and QwikCity, further bridging the gap between Deno and the broader JavaScript ecosystem.
Deno 2.0 introduces robust package management features, addressing one of the most requested functionalities from the developer community.
Three new subcommands have been added to simplify dependency management:
Deno 2.0 boasts significant performance enhancements, particularly in package installation. The deno install command is reported to be 15% faster than npm with a cold cache and an impressive 90% faster with a hot cache. While these improvements are already substantial, the Deno team promises further optimizations in the coming weeks, especially for cold cache scenarios.
Although Node.js and npm compatibility is one of the major features in Deno 2.0, compatibility was never the end goal.
“While Deno can run Node programs, it’s designed to push JavaScript and TypeScript forward,” Dahl and the team said in the announcement. “Deno offers features that Node lacks, such as native TypeScript support, web-standard APIs, a complete toolchain for JavaScript development, and a secure-by-default execution model—all in a single executable with no external dependencies. Using Deno over Node can save you time on setup and configuration, letting you start coding and delivering value faster.”
Other notable features in this release:
These updates enable enterprises to adopt Deno without concerns of volatility, as companies will be able to rely on a stable LTS branch to be created every six months.
Support for “legacy JavaScript infrastructure” in Deno 2.0 means that Deno users are not limited to the Deno ecosystem but can still take advantage of everything npm has to offer. The announcement emphasizes Deno's commitment to interoperability, as it has scaled beyond small programs. The team recognized that supporting Node and npm compatibility is essential.
“Deno’s goal is not to become a Node clone in Rust or a drop-in replacement,” Dahl said. “Our aim is to level up JavaScript, moving beyond 2010-era CommonJS and narrowing the gap between server-side and browser environments in a way that developers can adopt practically. We refuse to accept that JavaScript must remain a tangle of mismatched tooling and endless layers of transpilation, unable to evolve.”
Subscribe to our newsletter
Get notified when we publish new security blog posts!
Try it now
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.