Research
Security News
Malicious npm Package Targets Solana Developers and Hijacks Funds
A malicious npm package targets Solana developers, rerouting funds in 2% of transactions to a hardcoded address.
6to5 turns ES6 code into vanilla ES5, so you can use ES6 features today.
It's as easy as:
$ npm install -g 6to5
Compile the file script.js
and output it to stdout.
$ 6to5 script.js
Compile the file script.js
and output it to script-compiled.js
.
$ 6to5 script.js --out-file script-compiled.js
Compile the file script.js
and output it to script-compiled.js
and save a
source map to script-compiled.js.map
.
$ 6to5 script.js --source-maps --out-file script-compiled.js
Compile the file script.js
and output it to script-compiled.js
with a source
map embedded in a comment at the bottom.
$ 6to5 script.js --source-maps-inline --out-file script-compiled.js
Compile the entire src
directory and output it to the lib
directory.
$ 6to5 src --out-dir lib
Compile the entire src
directory and output it to the one concatenated file.
$ 6to5 src --out-file script-compiled.js
Pipe a file in via stdin and output it to script-compiled.js
$ 6to5 --out-file script-compiled.js < script.js
Launch a repl.
$ 6to5-node
Evaluate code.
$ 6to5-node -e "class Test { }"
Compile and run test.js
.
$ 6to5-node test
var to5 = require("6to5");
var result = to5.transform("code();", options);
result.code;
result.map;
result.ast;
to5.transformFileSync("filename.js", options).code;
to5.transformFile("filename.js", options, function (err, result) {
});
{
// Filename for use in errors etc.
// Default: "unknown"
filename: "filename",
// List of transformers to EXCLUDE.
// Run `6to5 --help` to see a full list of transformers.
blacklist: [],
// List of transformers to ONLY use.
// Run `6to5 --help` to see a full list of transformers.
whitelist: [],
// Module formatter to use
// Run `6to5 --help` to see a full list of module formatters.
// Default: "common"
modules: "common",
// If truthy, adds a `map` property to returned output.
// If set to "inline", a comment with a sourceMappingURL directive is added to
// the bottom of the returned code.
// Default: false
sourceMap: true,
// Set `file` on returned source map.
// Default: `filename` option.
sourceMapName: "filename",
// Set `sources[0]` on returned source map.
// Default: `filename` option.
sourceFileName: "filename"
}
All subsequent files required by node with the extensions .es6
and .js
will
be transformed by 6to5. The polyfill specified in Polyfill is also
required.
require("6to5/register");
NOTE: By default all requires to node_modules
will be ignored. You can
override this by passing an ignore regex with`.
require("6to5/register")({
// Optional ignore regex - if any filenames **do** match this regex then they
// aren't compiled
ignore: /regex/,
// Optional only regex - if any filenames **don't** match this regex then they
// aren't compiled
only: /my_es6_folder/,
// See options above for usage
whitelist: [],
blacklist: [],
// This will remove the currently hooked extensions of .es6 and .js so you'll
// have to add them back if you want them to be used again.
extensions: [".js", ".es6"]
});
You can build a browser version of the compiler by running the following in the 6to5 directory:
$ make build
This will output the files dist/6to5.js
and dist/6to5.min.js
.
Just include one of those in the browser and access the transform method via the
global to5
.
to5("class Test {}").code;
To test 6to5 in your browser run:
$ make test-browser
And open test/browser.html
in your browser if it doesn't open automatically.
See Modules - Common for documentation on the default module formatting.
Alternatively see Modules for all other supported module formatting types.
6to5 does not include a runtime nor polyfill and it's up to the developer to include one in compiled browser code.
A polyfill is included with the 6to5 module that can be included in node like so:
require("6to5/polyfill");
This is simply a wrapper around the regenerator runtime and the es6-shim and es6-symbol polyfills.
If you're planning on using 6to5 output in the browser then it's up to you to include polyfills. es6-symbol and es6-shim fill the vast majority of polyfill concerns.
A polyfill is required for for-of functionality that implements Symbol
and
adds prototype[Symbol.iterator]
behaviour to built-ins. Using the polyfills
specified in polyfill suffices.
Built-in classes such as Date
, Array
and DOM
cannot be subclassed due to
limitations in ES5 implementations.
If you're inheriting from a class then static properties are inherited from it via __proto__, this is widely supported but you may run into problems with much older browsers.
NOTE: __proto__
is not supported on IE <= 9 so static properties
will not be inherited. A possible workaround is to use super();
:
class Foo {
static foo() {
}
}
class Bar extends Foo {
static foo() {
super();
}
}
The regenerator runtime and an ES6 polyfill are required in order for generators to work.
The fundamental concept behind 6to5 is that the generated code must be close as possible to the original, retaining all the same formatting and readability.
Many other transpilers are just concerned with making the code work while 6to5 is concerned with making sure it works and is readable at the same time.
For example, given the following array comprehension:
var seattlers = [for (c of customers) if (c.city == "Seattle") { name: c.name, age: c.age }];
is generated to the following with 6to5:
var seattlers = customers.filter(function (c) {
return c.city == "Seattle";
}).map(function (c) {
return {
name: c.name,
age: c.age
};
});
The following is what Traceur generates:
var seattlers = (function() {
var c;
var $__20 = 0,
$__21 = [];
for (var $__22 = customers[$traceurRuntime.toProperty(Symbol.iterator)](),
$__23; !($__23 = $__22.next()).done; ) {
c = $__23.value;
if (c.city == "Seattle")
$traceurRuntime.setProperty($__21, $__20++, {
name: c.name,
age: c.age
});
}
return $__21;
}());
As you can tell, it's not very pretty, unreadable even. Instead of mapping directly to a runtime, like other transpilers, 6to5 maps directly to the equivalent ES5.
I'm not saying 6to5 is for everyone or even suited for everything. Traceur is better suited if you'd like a full ES6 environment with polyfills and all.
6to5 | Traceur | esnext | es6now | es6-transpiler | jstransform | |
---|---|---|---|---|---|---|
No runtime | ✓ | ✓ | ✓ | |||
Source maps | ✓ | ✓ | ✓ | ✓ | ✓ | |
No compiler global pollution | ✓ | ✓ | ✓ | ✓ | ||
Arrow functions | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
Classes | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
Computed property names | ✓ | ✓ | ✓ | ✓ | ✓ | |
Constants | ✓ | ✓ | ✓ | |||
Default parameters | ✓ | ✓ | ✓ | ✓ | ✓ | |
Destructuring | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
For-of | ✓ | ✓ | ✓ | ✓ | ✓ | |
Generators | ✓ | ✓ | ✓ | |||
Let scoping | ✓ | ✓ | ✓ | |||
Modules | ✓ | ✓ | ✓ | |||
Property method assignment | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
Property name shorthand | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
Rest parameters | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
Spread | ✓ | ✓ | ✓ | ✓ | ✓ | |
Template literals | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
Unicode regex | ✓ | ✓ | ✓ |
Traceur requires quite a bulky runtime (~75KB) and produces quite verbose code. While this can be trimmed down by selectively building the runtime, it's an unneccesary step when a runtime can be eliminated entirely.
es6now doesn't output sourcemaps. This is cited as a positive as line-to-line mapping is the goal. This however obviously doesn't retain column mapping resulting in the output code not being very pleasant.
The es6-transpiler compiler requires shims to operate which pollutes the global scope resulting in possible collisions.
es6-transpiler maps line-by-line, just like es6now, this results in the same issues such as lack of column information and unpleasant code output.
FAQs
Turn ES6 code into readable vanilla ES5 with source maps
The npm package 6to5 receives a total of 2,236 weekly downloads. As such, 6to5 popularity was classified as popular.
We found that 6to5 demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
A malicious npm package targets Solana developers, rerouting funds in 2% of transactions to a hardcoded address.
Security News
Research
Socket researchers have discovered malicious npm packages targeting crypto developers, stealing credentials and wallet data using spyware delivered through typosquats of popular cryptographic libraries.
Security News
Socket's package search now displays weekly downloads for npm packages, helping developers quickly assess popularity and make more informed decisions.