Security News
The Risks of Misguided Research in Supply Chain Security
Snyk's use of malicious npm packages for research raises ethical concerns, highlighting risks in public deployment, data exfiltration, and unauthorized testing.
github.com/griffin-stewie/chroma
NOTE: As Chroma has just been released, its API is still in flux. That said, the high-level interface should not change significantly.
Chroma takes source code and other structured text and converts it into syntax highlighted HTML, ANSI-coloured text, etc.
Chroma is based heavily on Pygments, and includes translaters for Pygments lexers and styles.
ABNF, ANTLR, APL, ActionScript, ActionScript 3, Ada, Angular2, ApacheConf, AppleScript, Awk, BNF, Base Makefile, Bash, Batchfile, BlitzBasic, Brainfuck, C, C++, CFEngine3, CMake, COBOL, CSS, Cap'n Proto, Ceylon, ChaiScript, Cheetah, Clojure, CoffeeScript, Common Lisp, Coq, Crystal, Cython, DTD, Dart, Diff, Django/Jinja, Docker, EBNF, Elixir, Elm, EmacsLisp, Erlang, FSharp, Factor, Fish, Forth, Fortran, GAS, GLSL, Genshi, Genshi HTML, Genshi Text, Gnuplot, Go, Groovy, HTML, Handlebars, Haskell, Haxe, Hy, INI, Idris, Io, JSON, Java, JavaScript, Julia, Kotlin, LLVM, Lighttpd configuration file, Lua, Mako, Mason, Mathematica, Modula-2, MySQL, Myghty, NASM, Newspeak, Nginx configuration file, Nim, OCaml, Octave, PHP, PL/pgSQL, POVRay, PacmanConf, Perl, Pig, PkgConfig, PostScript, PostgreSQL SQL dialect, PowerShell, Prolog, Protocol Buffer, Puppet, Python, Python 3, QBasic, R, Racket, Ragel, Rexx, Ruby, Rust, SPARQL, SQL, Sass, Scala, Scheme, Scilab, Smalltalk, Smarty, Snobol, SquidConf, Swift, TASM, Tcl, Tcsh, Termcap, Terminfo, Terraform, Thrift, Transact-SQL, Turtle, Twig, TypeScript, TypoScript, TypoScriptCssData, TypoScriptHtmlData, VimL, XML, Xorg, cfstatement, markdown, reg, verilog, vhdl
I will attempt to keep this section up to date, but an authoritative list can be
displayed with chroma --list
.
Chroma, like Pygments, has the concepts of lexers, formatters and styles.
Lexers convert source text into a stream of tokens, styles specify how token types are mapped to colours, and formatters convert tokens and styles into formatted output.
A package exists for each of these, containing a global Registry
variable
with all of the registered implementations. There are also helper functions
for using the registry in each package, such as looking up lexers by name or
matching filenames, etc.
In all cases, if a lexer, formatter or style can not be determined, nil
will
be returned. In this situation you may want to default to the Fallback
value in each respective package, which provides sane defaults.
A convenience function exists that can be used to simply format some source text, without any effort:
err := quick.Highlight(os.Stdout, someSourceCode, "go", "html", "monokai")
To highlight code, you'll first have to identify what language the code is written in. There are three primary ways to do that:
Detect the language from its filename.
lexer := lexers.Match("foo.go")
Explicitly specify the language by its Chroma syntax ID (a full list is available from lexers.Names()
).
lexer := lexers.Get("go")
Detect the language from its content.
lexer := lexers.Analyse("package main\n\nfunc main()\n{\n}\n")
In all cases, nil
will be returned if the langauge can not be identified.
if lexer == nil {
lexer = lexers.Fallback
}
At this point, it should be noted that some lexers can be extremely chatty. To mitigate this, you can use the coalescing lexer to coalesce runs of identical token types into a single token:
lexer = chroma.Coalesce(lexer)
Once a language is identified you will need to pick a formatter and a style (theme).
style := styles.Get("swapoff")
if style == nil {
style = styles.Fallback
}
formatter := formatters.Get("html")
if formatter == nil {
formatter = formatters.Fallback
}
Then obtain an iterator over the tokens:
contents, err := ioutil.ReadAll(r)
iterator, err := lexer.Tokenise(nil, string(contents))
And finally, format the tokens from the iterator:
err := formatter.Format(w, style, iterator)
By default the html
registered formatter generates standalone HTML with
embedded CSS. More flexibility is available through the lexers/html
package.
Firstly, the output generated by the formatter can be customised with the following constructor options:
Standalone()
- generate standalone HTML with embedded CSS.WithClasses()
- use classes rather than inlined style attributes.ClassPrefix(prefix)
- prefix each generated CSS class.TabWidth(width)
- Set the rendered tab width, in characters.WithLineNumbers()
- Render line numbers (style with LineNumbers
).HighlightLines(ranges)
- Highlight lines in these ranges (style with LineHighlight
).If WithClasses()
is used, the corresponding CSS can be obtained from the formatter with:
formatter := html.New(html.WithClasses())
err := formatter.WriteCSS(w, style)
See the Pygments documentation for details on implementing lexers. Most concepts apply directly to Chroma, but see existing lexer implementations for real examples.
In many cases lexers can be automatically converted directly from Pygments by
using the included Python 3 script pygments2chroma.py
. I use something like
the following:
python3 ~/Projects/chroma/_tools/pygments2chroma.py \
pygments.lexers.jvm.KotlinLexer \
> ~/Projects/chroma/lexers/kotlin.go \
&& gofmt -s -w ~/Projects/chroma/lexers/*.go
See notes in pygments-lexers.go for a list of lexers, and notes on some of the issues importing them.
Chroma supports HTML output, as well as terminal output in 8 colour, 256 colour, and true-colour.
A noop
formatter is included that outputs the token text only, and a tokens
formatter outputs raw tokens. The latter is useful for debugging lexers.
Chroma styles use the same syntax as Pygments.
All Pygments styles have been converted to Chroma using the _tools/style.py
script.
A command-line interface to Chroma is included. It can be installed with:
go get -u github.com/alecthomas/chroma/cmd/chroma
FAQs
Unknown package
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Snyk's use of malicious npm packages for research raises ethical concerns, highlighting risks in public deployment, data exfiltration, and unauthorized testing.
Research
Security News
Socket researchers found several malicious npm packages typosquatting Chalk and Chokidar, targeting Node.js developers with kill switches and data theft.
Security News
pnpm 10 blocks lifecycle scripts by default to improve security, addressing supply chain attack risks but sparking debate over compatibility and workflow changes.