Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Security News
Sarah Gooding
August 22, 2024
The Deno team announced that it has stabilized the Deno Standard Library, a collection of standard modules that are guaranteed to work with Deno. In the four years since Deno 1.0 was released as a new runtime for JavaScript with native TypeScript support, the community has grown to more than 250,000 users who have created more than 2 million modules.
Although Deno’s Standard Library is hosted on the new JSR package registry, it can also be used in Node and installed via npm with JSR, and is also compatible with Cloudflare Workers and browsers with bundlers. The library does not require using Deno.
The Deno Standard Library is comprised on high-quality Typescript packages that are audited by the Deno team and distributed as independently versioned ES Modules. This collection of essential tools and utilities covers a wide range of functionalities, including the following:
The goal is to help developers implement common tasks efficiently without needing to start from scratch every time. Check out the announcement thread on X for examples of all the packages in action.
The majority of the packages are compatible with Node.js, but there are few that are specific to Deno. Compatibility is denoted in the icons on the package list.
There are 44 distinct packages published under the @std scope. These packages have been stabilized based on a strict criteria that enables developers to use them without worrying about unresolved issues or compatibility concerns:
Historically, the abundant diversity of the JavaScript ecosystem has allowed many popular libraries for various utilities to flourish for both frontend and backend development. The community never really coalesced around a single standard library.
Deno’s approach here is a refreshing change for those who just want to use a well-maintained, standardized set of tools without having to vet an overwhelming number of small single-purpose packages.
So far the stabilization of the library has received a positive reception from the community. With the proliferation of trivial packages and the increasing complexity of dependency management, it’s easy to see the appeal of a curated and supported library of utilities from the Deno team.
Now that the packages are stabilized, they will be hosted on JSR with independent versions, so developers can update them as needed. This makes dependencies more manageable, as developers are only required to update the packages they are using, not the entire std module.
If you want a quick way to test it, you can check out the standard library in LiveCodes by using the jsr:
prefix in imports. They published a quick demo for @std/async : https://livecodes.io/?x=id/xgc4bkhksar.
The Deno team is currently working on Deno 2, which will come with some minor breaking changes. The next release is expected to be easier to use, more performant, and more compatible with popular frameworks and packages. You can test it today using the Deno future flag:
$ DENO_FUTURE=1
Check out the video from the Deno team for a quick summary of why they created the Standard Library.
Subscribe to our newsletter
Get notified when we publish new security blog posts!
Try it now
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.