Research
Security News
Malicious npm Packages Inject SSH Backdoors via Typosquatted Libraries
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
github.com/cfware/babel-plugin-template-html-minifier
Minify HTML in tagged template strings using html-minifier-terser.
npm install --save-dev babel-plugin-template-html-minifier
In .babelrc
:
{
"plugins": [
["template-html-minifier", {
"modules": {
"choo/html": [null],
"hyperhtml": [{"name": "bind", "type": "factory"}],
"hyperhtml-element": [{"name": null, "member": "html"}]
},
"htmlMinifier": {
"collapseWhitespace": true
}
}]
]
}
Example for lit-html
and lit-element
:
{
"plugins": [
["template-html-minifier", {
"modules": {
"lit-html": ["html"],
"lit-element": [
"html",
{"name": "css", "encapsulation": "style"}
],
},
"strictCSS": true,
"htmlMinifier": {
"collapseWhitespace": true,
"conservativeCollapse": true,
"removeComments": true,
"caseSensitive": true,
"minifyCSS": true
},
}]
]
}
htmlMinifier
The value of this property is passed unmodified to html-minifier-terser. See the html-minifier-terser docs.
Note for usage with lit-html
and lit-element
:
To preserve case sensitiveness of property binding "caseSensitive": true
must be added.
collapseBooleanAttributes
should not be used when working with lit-html
or other templating systems which give special meaning to non-static boolean
attributes. Enabling collapseBooleanAttributes
will cause this plugin to
throw an exception:
html`<input readonly="${readonly}">`;
This exception is for two reasons. First because it means the chosen options have
caused html-minifier-terser
to change the meaning of the HTML template. Second because
it deletes the point where ${readonly}
goes into the final output.
removeComments
will cause the following template to throw an exception:
html`<!-- <input value="${value}"> -->`;
This exception is because ${value}
inside an HTML template gets deleted. It
should be noted that an HTML template does not prevent code within ${}
from
running. This means that in the following template getValue()
is still executed
when processing the html
template:
html`<!-- <input value="${getValue()}"> -->`;
It is recommended to use binding-positions from eslint-plugin-lit to catch this error. This babel transformation can only determine that a template is broken, the eslint plugin will tell you which binding is invalid.
strictCSS
Whether CSS should only be minified when it is valid CSS. This is necessary when using css templates which allow multiple strings of invalid CSS together to make a valid stylesheet. This is the case for example with lit-element
:
const unit = css`px`;
const widthXL = 400;
const styleSheet = css`
@media (${widthXL}px) {
.foo {
font-size: 16${unit};
}
}
`;
Minification happens per template literal, it is only able to see the unconcatenated css literals and minify those. It will try to do the right thing, but it cannot handle every scenario. If you are using lit-element
, and write these types of templates, you need to set strictCSS
to true.
modules
A list of module names or import paths where tags are imported from. The values in
the arrays refers to the export names, not the import names. null
refers to the
default export.
failOnError
Determines whether an error should be thrown when minification failed. defaults to true.
Minification can fail when using invalid syntax or comments within bindings. Especially
when using css with bindings minification can fail. When failOnError
is true, this
plugin throws an error and your build will stop from proceeding. When it is false
the minification is canceled and the template is left unminified.
logOnError
Determines whether failure to minify a template should be logged in case of an error.
Defaults to true. This setting only takes effect when failOnError
is false.
import choo from 'choo/html';
import * as lit from 'lit-html';
import {html as litHtml, css} from 'lit-element';
import HyperHTMLElement from 'hyperhtml-element';
import html from 'some-module';
import {bind} from 'hyperhtml';
choo`
<div class="hello">
Hello World
</div>
`;
lit.html`
<div class="hello">
Hello World
</div>
`;
litHtml`
<div class="hello">
Hello World
</div>
`;
css`
.sel {
background: red;
}
`;
class MyHyperHTMLElement extends HyperHTMLElement {
created() {
this.render();
}
render() {
this.html`
<div>
Hello World
</div>
`;
}
}
bind(document.body)`
<div>
Hello World
</div>
`;
html`
This
is
not
processed
`;
Using the .babelrc shown in usage produces the following output:
import choo from 'choo/html';
import * as lit from 'lit-html';
import {html as litHtml, css} from 'lit-element';
import HyperHTMLElement from 'hyperhtml-element';
import html from 'some-module';
import {bind} from 'hyperhtml';
choo`<div class="hello"> Hello World </div>`;
lit.html`<div class="hello"> Hello World </div>`;
litHtml`<div class="hello"> Hello World </div>`;
css`.sel{background:red}`;
class MyHyperHTMLElement extends HyperHTMLElement {
created() {
this.render();
}
render() {
this.html`<div> Hello World </div>`;
}
}
bind(document.body)`<div> Hello World </div>`;
html`
This
is
not
processed
`;
"choo/html": [null]
specifies that the default
export should be processed."lit-html": ["html"]
."lit-element": ["html"]
."lit-element": [{"name": "css", "encapsulation": "style"}]
.
The encapsulation
argument ensures that html-minifier-terser
understands that the template
contains CSS, without it the template would be processed as HTML.this.html
in MyHyperHTMLElement is processed because
"hyperhtml-element": [{"name": null, "member": "html"}]
specifies that the html
member
of classes which extend the default export should be processed."hyperhtml": [{"name": "bind", "type": "factory"}]
, the
type factory
specifies the bind returns a function which processes the tagged templates.All matching is done based on the exported name, not the local/imported name.
Tests are provided by xo and ava.
npm install
npm test
This module was originally created by goto-bus-stop.
babel-plugin-template-html-minifier
for enterpriseAvailable as part of the Tidelift Subscription.
The maintainers of babel-plugin-template-html-minifier
and thousands of other packages are working with Tidelift to deliver commercial support and maintenance for the open source dependencies you use to build your applications. Save time, reduce risk, and improve code health, while paying the maintainers of the exact dependencies you use. Learn more.
FAQs
Unknown package
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
Security News
MITRE's 2024 CWE Top 25 highlights critical software vulnerabilities like XSS, SQL Injection, and CSRF, reflecting shifts due to a refined ranking methodology.
Security News
In this segment of the Risky Business podcast, Feross Aboukhadijeh and Patrick Gray discuss the challenges of tracking malware discovered in open source softare.