Research
Security News
Malicious npm Packages Inject SSH Backdoors via Typosquatted Libraries
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
github.com/evorts/rod
Rod is a high-level driver directly based on DevTools Protocol. It's designed for web automation and scraping.
Please check the examples_test.go file first, then check the examples folder.
For more detailed examples, please search the unit tests.
Such as the usage of method HandleAuth
, you can search all the *_test.go
files that contain HandleAuth
or HandleAuthE
,
for example, use Github online search in repository.
You can also search the GitHub issues, they contain a lot of usage examples too.
Here is a comparison of the examples between rod and chromedp.
If you have questions, please raise an issue or join the chat room.
Here's the common start process of rod:
Try to connect to a Devtools endpoint (WebSocket), if not found try to launch a local browser, if still not found try to download one, then connect again. The lib to handle it is launcher.
Use the JSON-RPC to talk to the Devtools endpoint to control the browser. The lib handles it is cdp.
Use the type definitions of the JSON-RPC to perform high-level actions. The lib handles it is proto.
Object model:
To let rod work with docker is very easy:
Run the rod image docker run -p 9222:9222 rodorg/rod
Open another terminal and run a go program like this example
The rod image can dynamically launch a browser for each remote driver with customizable browser flags. It's tuned for screenshots and fonts among popular natural languages. You can easily load balance requests to the cluster of this image, each container can create multiple browser instances at the same time.
It's an issue of the browser itself. If we enable the --no-first-run
flag and we don't create a blank page, it will create a hello page which will consume more power.
Rod should work with any browser that supports DevTools Protocol.
Rod is related to puppetry, see rod Puppet.
So we are the puppeteer, the browser is the puppet, we use the rod to control the puppet.
So in this sense, puppeteer.js
sounds strange, we are controlling a puppeteer?
Please check this doc.
Semver is used.
Before v1.0.0
whenever the second section changed, such as v0.1.0
to v0.2.0
, there must be some public API changes, such as changes of function names or parameter types. If only the last section changed, no public API will be changed.
You can use the Github's release comparison to see the automated changelog, for example, compare v0.75.2 with v0.76.0.
There are a lot of great projects, but no one is perfect, choose the best one that fits your needs is important.
Theoretically, rod should perform faster and consume less memory than chromedp.
Chromedp uses a fix-sized buffer for events, it can cause dead-lock on high concurrency. Because chromedp uses single-event-loop, the slow event handlers will block each other. Rod doesn't have these issues because it's based on goob.
Chromedp will JSON decode every message from browser, rod is decode-on-demand, so rod performs better, especially for heavy network events.
Chromedp uses third part WebSocket lib which has 1MB overhead for each cdp client, if you want to control thousands of remote browsers it can become a problem. Because of this limitation, if you evaluate a js script larger than 1MB, chromedp will crash.
When a crash happens, chromedp will leave the zombie browser process on Windows and Mac.
Rod is more configurable, such as you can even replace the WebSocket lib with the lib you like.
For direct code comparison you can check here. If you compare the example called logic
between rod and chromedp, you will find out how much simpler rod is.
With chromedp, you have to use their verbose DSL like tasks to handle the main logic, because chromedp uses several wrappers to handle execution with context and options which makes it very hard to understand their code when bugs happen. The heavily used interfaces make the static types useless when tracking issues. In contrast, rod uses as few interfaces as possible.
Rod has less dependencies, simpler code structure, and better test coverage (100%), you should find it's easier to contribute code to rod. Therefore compared with chromedp, rod has the potential to have more nice functions from the community in the future.
Another problem of chromedp is their architecture is based on DOM node id, but puppeteer and rod are based on remote object id. In consequence, it will prevent chromedp's maintainers from adding high-level functions that are coupled with runtime. For example, this ticket had opened for 3 years. Even after it's closed, you still can't evaluate js express on the element inside an iframe.
Puppeteer will JSON decode every message from browser, rod is decode-on-demand, so rod performs better, especially for heavy network events.
With puppeteer, you have to handle promise/async/await a lot. End to end tests requires a lot of sync operations to simulate human inputs, because Puppeteer is based on Nodejs all IO operations are async calls, so usually, people end up typing tons of async/await. The overhead grows when your project grows.
Rod is type-safe by default. It has type bindings with all the API of Devtools protocol.
Rod will disable domain events whenever possible, puppeteer will always enable all the domains. It will consume a lot of resources when driving a remote browser.
Rod supports cancellation and timeout better. For example, to simulate click
we have to send serval cdp requests, with Promise you can't achieve something like "only send half of the cdp requests", but with the context we can.
Selenium is based on webdriver protocol which has much less functions compare to devtools protocol. Such as it can't handle closed shadow DOM. No way to save page as PDF. No support for tools like Profiler or Performance, etc.
Harder to set up and maintain because of extra dependencies like a browser driver.
Though selenium sells itself for better cross-browser support, it's usually very hard to make it work for all major browsers.
There are plenty of articles about "selenium vs puppeteer", you can treat rod as the Golang version of puppeteer.
Cypress is very limited, for closed shadow dom or cross-domain iframes it's almost unusable. Read their limitation doc for more details.
If you want to cooperate with us to create a testing focused framework base on rod to overcome the limitation of cypress, please contact us.
FAQs
Unknown package
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
Security News
MITRE's 2024 CWE Top 25 highlights critical software vulnerabilities like XSS, SQL Injection, and CSRF, reflecting shifts due to a refined ranking methodology.
Security News
In this segment of the Risky Business podcast, Feross Aboukhadijeh and Patrick Gray discuss the challenges of tracking malware discovered in open source softare.