Security News
pnpm 10.0.0 Blocks Lifecycle Scripts by Default
pnpm 10 blocks lifecycle scripts by default to improve security, addressing supply chain attack risks but sparking debate over compatibility and workflow changes.
github.com/mathetake/gasm
WebAssembly is a way to safely run code compiled in other languages. Runtimes
execute WebAssembly Modules (Wasm), which are most often binaries with a .wasm
extension.
wazero is a WebAssembly Core Specification 1.0 and 2.0 compliant runtime written in Go. It has zero dependencies, and doesn't rely on CGO. This means you can run applications in other languages and still keep cross compilation.
Import wazero and extend your Go application with code written in any language!
The best way to learn wazero is by trying one of our examples. The most basic example extends a Go application with an addition function defined in WebAssembly.
There are two runtime configurations supported in wazero: Compiler is default:
By default, ex wazero.NewRuntime(ctx)
, the Compiler is used if supported. You
can also force the interpreter like so:
r := wazero.NewRuntimeWithConfig(ctx, wazero.NewRuntimeConfigInterpreter())
Interpreter is a naive interpreter-based implementation of Wasm virtual
machine. Its implementation doesn't have any platform (GOARCH, GOOS) specific
code, therefore interpreter can be used for any compilation target available
for Go (such as riscv64
).
Compiler compiles WebAssembly modules into machine code ahead of time (AOT),
during Runtime.CompileModule
. This means your WebAssembly functions execute
natively at runtime. Compiler is faster than Interpreter, often by order of
magnitude (10x) or more. This is done without host-specific dependencies.
Both runtimes pass WebAssembly Core 1.0 and 2.0 specification tests on supported platforms:
Runtime | Usage | amd64 | arm64 | others |
---|---|---|---|---|
Interpreter | wazero.NewRuntimeConfigInterpreter() | ✅ | ✅ | ✅ |
Compiler | wazero.NewRuntimeConfigCompiler() | ✅ | ✅ | ❌ |
The below support policy focuses on compatibility concerns of those embedding wazero into their Go applications.
wazero's 1.0 release happened in March 2023, and is in use by many projects and production sites.
We offer an API stability promise with semantic versioning. In other words, we promise to not break any exported function signature without incrementing the major version. This does not mean no innovation: New features and behaviors happen with a minor version increment, e.g. 1.0.11 to 1.2.0. We also fix bugs or change internal details with a patch version, e.g. 1.0.0 to 1.0.1.
You can get the latest version of wazero like this.
go get github.com/tetratelabs/wazero@latest
Please give us a star if you end up using wazero!
wazero has no dependencies except Go, so the only source of conflict in your project's use of wazero is the Go version.
wazero follows the same version policy as Go's Release Policy: two versions. wazero will ensure these versions work and bugs are valid if there's an issue with a current Go version.
Additionally, wazero intentionally delays usage of language or standard library features one additional version. For example, when Go 1.29 is released, wazero can use language features or standard libraries added in 1.27. This is a convenience for embedders who have a slower version policy than Go. However, only supported Go versions may be used to raise support issues.
wazero has two runtime modes: Interpreter and Compiler. The only supported operating systems are ones we test, but that doesn't necessarily mean other operating system versions won't work.
We currently test Linux (Ubuntu and scratch), MacOS and Windows as packaged by GitHub Actions, as well as nested VMs running on Linux for FreeBSD, NetBSD, OpenBSD, DragonFly BSD, illumos and Solaris.
We also test cross compilation for many GOOS
and GOARCH
combinations.
wazero has no dependencies and doesn't require CGO. This means it can also be embedded in an application that doesn't use an operating system. This is a main differentiator between wazero and alternatives.
We verify zero dependencies by running tests in Docker's scratch image. This approach ensures compatibility with any parent image.
wazero is a registered trademark of Tetrate.io, Inc. in the United States and/or other countries
FAQs
Unknown package
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
pnpm 10 blocks lifecycle scripts by default to improve security, addressing supply chain attack risks but sparking debate over compatibility and workflow changes.
Product
Socket now supports uv.lock files to ensure consistent, secure dependency resolution for Python projects and enhance supply chain security.
Research
Security News
Socket researchers have discovered multiple malicious npm packages targeting Solana private keys, abusing Gmail to exfiltrate the data and drain Solana wallets.