Research
Security News
Malicious npm Packages Inject SSH Backdoors via Typosquatted Libraries
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
github.com/tetratelabs/wazero
WebAssembly is a way to safely run code compiled in other languages. Runtimes
execute WebAssembly Modules (Wasm), which are most often binaries with a .wasm
extension.
wazero is a WebAssembly Core Specification 1.0 and 2.0 compliant runtime written in Go. It has zero dependencies, and doesn't rely on CGO. This means you can run applications in other languages and still keep cross compilation.
Import wazero and extend your Go application with code written in any language!
The best way to learn wazero is by trying one of our examples. The most basic example extends a Go application with an addition function defined in WebAssembly.
There are two runtime configurations supported in wazero: Compiler is default:
By default, ex wazero.NewRuntime(ctx)
, the Compiler is used if supported. You
can also force the interpreter like so:
r := wazero.NewRuntimeWithConfig(ctx, wazero.NewRuntimeConfigInterpreter())
Interpreter is a naive interpreter-based implementation of Wasm virtual
machine. Its implementation doesn't have any platform (GOARCH, GOOS) specific
code, therefore interpreter can be used for any compilation target available
for Go (such as riscv64
).
Compiler compiles WebAssembly modules into machine code ahead of time (AOT),
during Runtime.CompileModule
. This means your WebAssembly functions execute
natively at runtime. Compiler is faster than Interpreter, often by order of
magnitude (10x) or more. This is done without host-specific dependencies.
Both runtimes pass WebAssembly Core 1.0 and 2.0 specification tests on supported platforms:
Runtime | Usage | amd64 | arm64 | others |
---|---|---|---|---|
Interpreter | wazero.NewRuntimeConfigInterpreter() | ✅ | ✅ | ✅ |
Compiler | wazero.NewRuntimeConfigCompiler() | ✅ | ✅ | ❌ |
The below support policy focuses on compatibility concerns of those embedding wazero into their Go applications.
wazero's 1.0 release happened in March 2023, and is in use by many projects and production sites.
We offer an API stability promise with semantic versioning. In other words, we promise to not break any exported function signature without incrementing the major version. This does not mean no innovation: New features and behaviors happen with a minor version increment, e.g. 1.0.11 to 1.2.0. We also fix bugs or change internal details with a patch version, e.g. 1.0.0 to 1.0.1.
You can get the latest version of wazero like this.
go get github.com/tetratelabs/wazero@latest
Please give us a star if you end up using wazero!
wazero has no dependencies except Go, so the only source of conflict in your project's use of wazero is the Go version.
wazero follows the same version policy as Go's Release Policy: two versions. wazero will ensure these versions work and bugs are valid if there's an issue with a current Go version.
Additionally, wazero intentionally delays usage of language or standard library features one additional version. For example, when Go 1.29 is released, wazero can use language features or standard libraries added in 1.27. This is a convenience for embedders who have a slower version policy than Go. However, only supported Go versions may be used to raise support issues.
wazero has two runtime modes: Interpreter and Compiler. The only supported operating systems are ones we test, but that doesn't necessarily mean other operating system versions won't work.
We currently test Linux (Ubuntu and scratch), MacOS and Windows as packaged by GitHub Actions, as well compilation of 32-bit Linux and 64-bit FreeBSD.
wazero has no dependencies and doesn't require CGO. This means it can also be embedded in an application that doesn't use an operating system. This is a main differentiator between wazero and alternatives.
We verify zero dependencies by running tests in Docker's scratch image. This approach ensures compatibility with any parent image.
wazero is a registered trademark of Tetrate.io, Inc. in the United States and/or other countries
FAQs
Unknown package
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
Security News
MITRE's 2024 CWE Top 25 highlights critical software vulnerabilities like XSS, SQL Injection, and CSRF, reflecting shifts due to a refined ranking methodology.
Security News
In this segment of the Risky Business podcast, Feross Aboukhadijeh and Patrick Gray discuss the challenges of tracking malware discovered in open source softare.