Research
Security News
Malicious npm Packages Inject SSH Backdoors via Typosquatted Libraries
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
github.com/satotake/minify/v2
BE AWARE: YOU NEED GO 1.9.7+, 1.10.3+, 1.11 to run the latest release!!!
If you cannot upgrade Go, please pin to minify@v2.3.6 and parse@v2.3.4
Online demo if you need to minify files now.
Command line tool that minifies concurrently and supports watching file changes.
All releases for various platforms.
Minify is a minifier package written in Go. It provides HTML5, CSS3, JS, JSON, SVG and XML minifiers and an interface to implement any other minifier. Minification is the process of removing bytes from a file (such as whitespace) without changing its output and therefore shrinking its size and speeding up transmission over the internet and possibly parsing. The implemented minifiers are designed for high performance.
The core functionality associates mimetypes with minification functions, allowing embedded resources (like CSS or JS within HTML files) to be minified as well. Users can add new implementations that are triggered based on a mimetype (or pattern), or redirect to an external command (like ClosureCompiler, UglifyCSS, ...).
compress
)?gofmt
for Go files?Minifiers or bindings to minifiers exist in almost all programming languages. Some implementations are merely using several regular-expressions to trim whitespace and comments (even though regex for parsing HTML/XML is ill-advised, for a good read see Regular Expressions: Now You Have Two Problems). Some implementations are much more profound, such as the YUI Compressor and Google Closure Compiler for JS. As most existing implementations either use JavaScript, use regexes, and don't focus on performance, they are pretty slow.
This minifier proves to be that fast and extensive minifier that can handle HTML and any other filetype it may contain (CSS, JS, ...). It is usually orders of magnitude faster than existing minifiers.
Run the following command
go get -u github.com/satotake/minify/v2
or add the following imports and run the project with go get
import (
"github.com/satotake/minify/v2"
"github.com/satotake/minify/v2/css"
"github.com/satotake/minify/v2/html"
"github.com/satotake/minify/v2/js"
"github.com/satotake/minify/v2/json"
"github.com/satotake/minify/v2/svg"
"github.com/satotake/minify/v2/xml"
)
There is no guarantee for absolute stability, but I take issues and bugs seriously and don't take API changes lightly. The library will be maintained in a compatible way unless vital bugs prevent me from doing so. There has been one API change after v1 which added options support and I took the opportunity to push through some more API clean up as well. There are no plans whatsoever for future API changes.
For all subpackages and the imported parse
and buffer
packages, test coverage of 100% is pursued. Besides full coverage, the minifiers are fuzz tested using github.com/dvyukov/go-fuzz, see the wiki for the most important bugs found by fuzz testing. Furthermore am I working on adding visual testing to ensure that minification doesn't change anything visually. By using the WebKit browser to render the original and minified pages we can check whether any pixel is different.
These tests ensure that everything works as intended, the code does not crash (whatever the input) and that it doesn't change the final result visually. If you still encounter a bug, please report here!
The benchmarks directory contains a number of standardized samples used to compare performance between changes. To give an indication of the speed of this library, I've ran the tests on my Thinkpad T460 (i5-6300U quad-core 2.4GHz running Arch Linux) using Go 1.9.2.
name time/op
CSS/sample_bootstrap.css-4 2.26ms ± 0%
CSS/sample_gumby.css-4 2.92ms ± 1%
HTML/sample_amazon.html-4 2.33ms ± 2%
HTML/sample_bbc.html-4 1.02ms ± 1%
HTML/sample_blogpost.html-4 171µs ± 2%
HTML/sample_es6.html-4 14.5ms ± 0%
HTML/sample_stackoverflow.html-4 2.41ms ± 1%
HTML/sample_wikipedia.html-4 4.76ms ± 0%
JS/sample_ace.js-4 7.41ms ± 0%
JS/sample_dot.js-4 63.7µs ± 0%
JS/sample_jquery.js-4 2.99ms ± 0%
JS/sample_jqueryui.js-4 5.92ms ± 2%
JS/sample_moment.js-4 1.09ms ± 1%
JSON/sample_large.json-4 2.95ms ± 0%
JSON/sample_testsuite.json-4 1.51ms ± 1%
JSON/sample_twitter.json-4 6.75µs ± 1%
SVG/sample_arctic.svg-4 62.3ms ± 1%
SVG/sample_gopher.svg-4 218µs ± 0%
SVG/sample_usa.svg-4 33.1ms ± 3%
XML/sample_books.xml-4 36.2µs ± 0%
XML/sample_catalog.xml-4 14.9µs ± 0%
XML/sample_omg.xml-4 6.31ms ± 1%
name speed
CSS/sample_bootstrap.css-4 60.8MB/s ± 0%
CSS/sample_gumby.css-4 63.9MB/s ± 1%
HTML/sample_amazon.html-4 203MB/s ± 2%
HTML/sample_bbc.html-4 113MB/s ± 1%
HTML/sample_blogpost.html-4 123MB/s ± 2%
HTML/sample_es6.html-4 70.7MB/s ± 0%
HTML/sample_stackoverflow.html-4 85.2MB/s ± 1%
HTML/sample_wikipedia.html-4 93.6MB/s ± 0%
JS/sample_ace.js-4 86.9MB/s ± 0%
JS/sample_dot.js-4 81.0MB/s ± 0%
JS/sample_jquery.js-4 82.8MB/s ± 0%
JS/sample_jqueryui.js-4 79.3MB/s ± 2%
JS/sample_moment.js-4 91.2MB/s ± 1%
JSON/sample_large.json-4 258MB/s ± 0%
JSON/sample_testsuite.json-4 457MB/s ± 1%
JSON/sample_twitter.json-4 226MB/s ± 1%
SVG/sample_arctic.svg-4 23.6MB/s ± 1%
SVG/sample_gopher.svg-4 26.7MB/s ± 0%
SVG/sample_usa.svg-4 30.9MB/s ± 3%
XML/sample_books.xml-4 122MB/s ± 0%
XML/sample_catalog.xml-4 130MB/s ± 0%
XML/sample_omg.xml-4 180MB/s ± 1%
HTML (with JS and CSS) minification typically shaves off about 10%.
The HTML5 minifier uses these minifications:
html
, head
, body
, ...)tr
, td
, li
, ... and often p
)http:
, https:
and javascript:
)doctype
and meta
charsetOptions:
KeepConditionalComments
preserve all IE conditional comments such as <!--[if IE 6]><![endif]-->
and <![if IE 6]><![endif]>
, see https://msdn.microsoft.com/en-us/library/ms537512(v=vs.85).aspx#syntaxKeepDefaultAttrVals
preserve default attribute values such as <script type="application/javascript">
KeepDocumentTags
preserve html
, head
and body
tagsKeepEndTags
preserve all end tagsKeepWhitespace
preserve whitespace between inline tags but still collapse multiple whitespace characters into oneAfter recent benchmarking and profiling it became really fast and minifies pages in the 10ms range, making it viable for on-the-fly minification.
However, be careful when doing on-the-fly minification. Minification typically trims off 10% and does this at worst around about 20MB/s. This means users have to download slower than 2MB/s to make on-the-fly minification worthwhile. This may or may not apply in your situation. Rather use caching!
The whitespace removal mechanism collapses all sequences of whitespace (spaces, newlines, tabs) to a single space. If the sequence contained a newline or carriage return it will collapse into a newline character instead. It trims all text parts (in between tags) depending on whether it was preceded by a space from a previous piece of text and whether it is followed up by a block element or an inline element. In the former case we can omit spaces while for inline elements whitespace has significance.
Make sure your HTML doesn't depend on whitespace between block
elements that have been changed to inline
or inline-block
elements using CSS. Your layout should not depend on those whitespaces as the minifier will remove them. An example is a menu consisting of multiple <li>
that have display:inline-block
applied and have whitespace in between them. It is bad practise to rely on whitespace for element positioning anyways!
Minification typically shaves off about 10%-15%. This CSS minifier will not do structural changes to your stylesheets. Although this could result in smaller files, the complexity is quite high and the risk of breaking website is high too.
The CSS minifier will only use safe minifications:
/*! ... */
which usually contains the license)margin
, padding
and border-width
number of sides+
and zeros and rewriting with/without exponentrgb(
, rgba(
, hsl(
and hsla(
colors to hex or nametransparent
→ #0000
)normal
and bold
by numbers for font-weight
and font
none
→ 0
for border
, background
and outline
background
and font
It does purposely not use the following techniques:
font-weight
within an already existing font
, too complex)!important
)margin-top
, margin-right
, margin-bottom
and margin-left
→ margin
)body > div#elem p
→ #elem p
)div[id=a]
→ div#a
)There are a couple of comparison tables online, such as CSS Minifier Comparison, CSS minifiers comparison and CleanCSS tests. Comparing speed between each, this minifier will usually be between 10x-300x faster than existing implementations, and even rank among the top for minification ratios. It falls short with the purposely not implemented and often unsafe techniques.
Options:
Decimals
number of decimals to preserve for numbers, -1
means no trimmingKeepCSS2
prohibits using CSS3 syntax (such as exponents in numbers, or rgba(
→ rgb(
), might be incompleteThe JS minifier is pretty basic. It removes comments, whitespace and line breaks whenever it can. It employs all the rules that JSMin does too, but has additional improvements. For example the prefix-postfix bug is fixed.
Common speeds of PHP and JS implementations are about 100-300kB/s (see Uglify2, Adventures in PHP web asset minimization). This implementation or orders of magnitude faster, around ~80MB/s.
TODO:
Minification typically shaves off about 15% of filesize for common indented JSON such as generated by JSON Generator.
The JSON minifier only removes whitespace, which is the only thing that can be left out.
The SVG minifier uses these minifications:
doctype
, XML prelude, metadata
px
unitpath
datarect
, line
, polygon
, polyline
to path
TODO:
Options:
Decimals
number of decimals to preserve for numbers, -1
means no trimmingThe XML minifier uses these minifications:
Options:
KeepWhitespace
preserve whitespace between inline tags but still collapse multiple whitespace characters into oneAny input stream is being buffered by the minification functions. This is how the underlying buffer package inherently works to ensure high performance. The output stream however is not buffered. It is wise to preallocate a buffer as big as the input to which the output is written, or otherwise use bufio
to buffer to a streaming writer.
Retrieve a minifier struct which holds a map of mediatype → minifier functions.
m := minify.New()
The following loads all provided minifiers.
m := minify.New()
m.AddFunc("text/css", css.Minify)
m.AddFunc("text/html", html.Minify)
m.AddFunc("image/svg+xml", svg.Minify)
m.AddFuncRegexp(regexp.MustCompile("^(application|text)/(x-)?(java|ecma)script$"), js.Minify)
m.AddFuncRegexp(regexp.MustCompile("[/+]json$"), json.Minify)
m.AddFuncRegexp(regexp.MustCompile("[/+]xml$"), xml.Minify)
You can set options to several minifiers.
m.Add("text/html", &html.Minifier{
KeepDefaultAttrVals: true,
KeepWhitespace: true,
})
Minify from an io.Reader
to an io.Writer
for a specific mediatype.
if err := m.Minify(mediatype, w, r); err != nil {
panic(err)
}
Minify from and to a []byte
for a specific mediatype.
b, err = m.Bytes(mediatype, b)
if err != nil {
panic(err)
}
Minify from and to a string
for a specific mediatype.
s, err = m.String(mediatype, s)
if err != nil {
panic(err)
}
Get a minifying reader for a specific mediatype.
mr := m.Reader(mediatype, r)
if _, err := mr.Read(b); err != nil {
panic(err)
}
Get a minifying writer for a specific mediatype. Must be explicitly closed because it uses an io.Pipe
underneath.
mw := m.Writer(mediatype, w)
if mw.Write([]byte("input")); err != nil {
panic(err)
}
if err := mw.Close(); err != nil {
panic(err)
}
Minify resources on the fly using middleware. It passes a wrapped response writer to the handler that removes the Content-Length header. The minifier is chosen based on the Content-Type header or, if the header is empty, by the request URI file extension. This is on-the-fly processing, you should preferably cache the results though!
fs := http.FileServer(http.Dir("www/"))
http.Handle("/", m.Middleware(fs))
Add a minifier for a specific mimetype.
type CustomMinifier struct {
KeepLineBreaks bool
}
func (c *CustomMinifier) Minify(m *minify.M, w io.Writer, r io.Reader, params map[string]string) error {
// ...
return nil
}
m.Add(mimetype, &CustomMinifier{KeepLineBreaks: true})
// or
m.AddRegexp(regexp.MustCompile("/x-custom$"), &CustomMinifier{KeepLineBreaks: true})
Add a minify function for a specific mimetype.
m.AddFunc(mimetype, func(m *minify.M, w io.Writer, r io.Reader, params map[string]string) error {
// ...
return nil
})
m.AddFuncRegexp(regexp.MustCompile("/x-custom$"), func(m *minify.M, w io.Writer, r io.Reader, params map[string]string) error {
// ...
return nil
})
Add a command cmd
with arguments args
for a specific mimetype.
m.AddCmd(mimetype, exec.Command(cmd, args...))
m.AddCmdRegexp(regexp.MustCompile("/x-custom$"), exec.Command(cmd, args...))
Using the params map[string]string
argument one can pass parameters to the minifier such as seen in mediatypes (type/subtype; key1=val2; key2=val2
). Examples are the encoding or charset of the data. Calling Minify
will split the mimetype and parameters for the minifiers for you, but MinifyMimetype
can be used if you already have them split up.
Minifiers can also be added using a regular expression. For example a minifier with image/.*
will match any image mime.
Basic example that minifies from stdin to stdout and loads the default HTML, CSS and JS minifiers. Optionally, one can enable java -jar build/compiler.jar
to run for JS (for example the ClosureCompiler). Note that reading the file into a buffer first and writing to a pre-allocated buffer would be faster (but would disable streaming).
package main
import (
"log"
"os"
"os/exec"
"github.com/satotake/minify/v2"
"github.com/satotake/minify/v2/css"
"github.com/satotake/minify/v2/html"
"github.com/satotake/minify/v2/js"
"github.com/satotake/minify/v2/json"
"github.com/satotake/minify/v2/svg"
"github.com/satotake/minify/v2/xml"
)
func main() {
m := minify.New()
m.AddFunc("text/css", css.Minify)
m.AddFunc("text/html", html.Minify)
m.AddFunc("image/svg+xml", svg.Minify)
m.AddFuncRegexp(regexp.MustCompile("^(application|text)/(x-)?(java|ecma)script$"), js.Minify)
m.AddFuncRegexp(regexp.MustCompile("[/+]json$"), json.Minify)
m.AddFuncRegexp(regexp.MustCompile("[/+]xml$"), xml.Minify)
// Or use the following for better minification of JS but lower speed:
// m.AddCmdRegexp(regexp.MustCompile("^(application|text)/(x-)?(java|ecma)script$"), exec.Command("java", "-jar", "build/compiler.jar"))
if err := m.Minify("text/html", os.Stdout, os.Stdin); err != nil {
panic(err)
}
}
Custom minifier showing an example that implements the minifier function interface. Within a custom minifier, it is possible to call any minifier function (through m minify.Minifier
) recursively when dealing with embedded resources.
package main
import (
"bufio"
"fmt"
"io"
"log"
"strings"
"github.com/satotake/minify/v2"
)
func main() {
m := minify.New()
m.AddFunc("text/plain", func(m *minify.M, w io.Writer, r io.Reader, _ map[string]string) error {
// remove newlines and spaces
rb := bufio.NewReader(r)
for {
line, err := rb.ReadString('\n')
if err != nil && err != io.EOF {
return err
}
if _, errws := io.WriteString(w, strings.Replace(line, " ", "", -1)); errws != nil {
return errws
}
if err == io.EOF {
break
}
}
return nil
})
in := "Because my coffee was too cold, I heated it in the microwave."
out, err := m.String("text/plain", in)
if err != nil {
panic(err)
}
fmt.Println(out)
// Output: Becausemycoffeewastoocold,Iheateditinthemicrowave.
}
func main() {
m := minify.New()
m.AddFunc("text/css", css.Minify)
m.AddFunc("text/html", html.Minify)
m.AddFunc("image/svg+xml", svg.Minify)
m.AddFuncRegexp(regexp.MustCompile("^(application|text)/(x-)?(java|ecma)script$"), js.Minify)
m.AddFuncRegexp(regexp.MustCompile("[/+]json$"), json.Minify)
m.AddFuncRegexp(regexp.MustCompile("[/+]xml$"), xml.Minify)
fs := http.FileServer(http.Dir("www/"))
http.Handle("/", m.Middleware(fs))
}
func Serve(w http.ResponseWriter, r *http.Request) {
mw := m.ResponseWriter(w, r)
defer mw.Close()
w = mw
http.ServeFile(w, r, path.Join("www", r.URL.Path))
}
ResponseWriter example which returns a ResponseWriter that minifies the content and then writes to the original ResponseWriter. Any write after applying this filter will be minified.
type MinifyResponseWriter struct {
http.ResponseWriter
io.WriteCloser
}
func (m MinifyResponseWriter) Write(b []byte) (int, error) {
return m.WriteCloser.Write(b)
}
// MinifyResponseWriter must be closed explicitly by calling site.
func MinifyFilter(mediatype string, res http.ResponseWriter) MinifyResponseWriter {
m := minify.New()
// add minfiers
mw := m.Writer(mediatype, res)
return MinifyResponseWriter{res, mw}
}
// Usage
func(w http.ResponseWriter, req *http.Request) {
w = MinifyFilter("text/html", w)
if _, err := io.WriteString(w, "<p class="message"> This HTTP response will be minified. </p>"); err != nil {
panic(err)
}
if err := w.Close(); err != nil {
panic(err)
}
// Output: <p class=message>This HTTP response will be minified.
}
Here's an example of a replacement for template.ParseFiles
from template/html
, which automatically minifies each template before parsing it.
Be aware that minifying templates will work in most cases but not all. Because the HTML minifier only works for valid HTML5, your template must be valid HTML5 of itself. Template tags are parsed as regular text by the minifier.
func compileTemplates(filenames ...string) (*template.Template, error) {
m := minify.New()
m.AddFunc("text/html", html.Minify)
var tmpl *template.Template
for _, filename := range filenames {
name := filepath.Base(filename)
if tmpl == nil {
tmpl = template.New(name)
} else {
tmpl = tmpl.New(name)
}
b, err := ioutil.ReadFile(filename)
if err != nil {
return nil, err
}
mb, err := m.Bytes("text/html", b)
if err != nil {
return nil, err
}
tmpl.Parse(string(mb))
}
return tmpl, nil
}
Example usage:
templates := template.MustCompile(compileTemplates("view.html", "home.html"))
Released under the MIT license.
FAQs
Unknown package
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
Security News
MITRE's 2024 CWE Top 25 highlights critical software vulnerabilities like XSS, SQL Injection, and CSRF, reflecting shifts due to a refined ranking methodology.
Security News
In this segment of the Risky Business podcast, Feross Aboukhadijeh and Patrick Gray discuss the challenges of tracking malware discovered in open source softare.