Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Security News
Sarah Gooding
July 26, 2024
In a PR merged earlier today, Node.js added experimental support for TypeScript. The initial implementation executes TypeScript files by setting the experimental flag --experimental-strip-types
.
“Node.js will transpile TypeScript source code into JavaScript source code,” Node.js TSC delegate Marco Ippolito said in the PR to add experimental support. “During the transpilation process, no type checking is performed, and types are discarded.
“I believe enabling users to execute TypeScript files is crucial to move the ecosystem forward, it has been requested on all the surveys, and it simply cannot be ignored. We must acknowledge users want to run node foo.ts without installing external dependencies or loaders.”
If you’re running the bleeding edge nightly version of Node, you can check it out right now, or try it out on CodeSandbox. Wes Bos shared a quick video demo of running TypeScript with the new flag:
Ippolito also published a roadmap for experimental TypeScript support, which outlines the current limitations:
He also explained why he chose @swc/wasm-typescript for the implementation:
Because of simplicity.
I have considered other tools but they require either rust or go to be added to the toolchain.
@swc/wasm-typescript its a small package with a wasm and a js file to bind it.
Swc is currently used by Deno for the same purpose, it's battle tested.
In the future I see this being implemented in native layer.
The roadmap calls for several evolutions of the project on its way to expanded support. The second step calls for decoupling the TypeScript transpiler so that it can be upgraded separately, the same way npm is. After that, contributors aim to enable support for TypeScript features that require transformation and then consider the question of whether Node.js should run TypeScript files inside node_modules.
Ippolito outlined step 3 as focusing on optimizing the interaction between Node and SWC to make it performant, without impacting the Node build process.
“This is the phase where we measure the performance and make it usable in production without performance penalties,” he said.
Step 4 calls for adding more features that are not used in core but would reduce pain for users.
The PR merged today is a very early implementation of the feature, but the community response is overwhelmingly positive and clearly demonstrates the demand.
Many have also commented on the importance of competition from Bun and Deno in moving TypeScript support forward in Node. It demonstrates a growing recognition of TypeScript's importance in modern development. Even in its infancy, this promise of support for TypeScript shows that Node.js contributors are committed to staying relevant and responsive to the evolving needs of the developer community.
Subscribe to our newsletter
Get notified when we publish new security blog posts!
Try it now
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.