Security News
pnpm 10.0.0 Blocks Lifecycle Scripts by Default
pnpm 10 blocks lifecycle scripts by default to improve security, addressing supply chain attack risks but sparking debate over compatibility and workflow changes.
@agoric/bundle-source
Advanced tools
This package creates source bundles from ES Modules, compatible with Agoric contracts and SwingSet vats.
To bundle your sources, first do
import bundleSource from '@agoric/bundle-source';
const sourceBundleP = bundleSource(`${__dirname}/../path/to/toplevel`);
to get a promise for a source bundle, that resolves after reading the
named sources and bundling them into a form that vats can load, as indicated
by the moduleFormat
below. Currently, the only supported module format
is getExport
. Note that this way of loading external modules is likely to
change.
To obtain the contents of the promised sourceBundleP
, once it resolves, do:
sourceBundleP.then(({moduleFormat, source, sourceMap}) => ...);
or inside an async function (and therefore outside of Jessie), do:
const { moduleFormat, source, sourceMap } = await sourceBundleP;
...
The first main moduleFormat
is the "getExport"
format. It generates
source like:
function getExport() {
let exports = {};
const module = { exports };
// CommonJS source translated from the inputs.
...
return module.exports;
}
To evaluate it and obtain the resulting module namespace, you need to endow
a require
function to resolve external imports.
This is logically similar to the getExport
format, except that the code
may additionally depend upon a nestedEvaluate(src)
function to be used
to evaluate submodules in the same context as the parent function.
The advantage of this format is that it helps preserve the filenames within the bundle in the event of any stack traces.
Also, the toplevel getExport(filePrefix = "/bundled-source")
accepts an
optional filePrefix
argument (which is prepended to relative paths for the
bundled files) in order to help give context to stack traces.
FAQs
Create source bundles from ES Modules
The npm package @agoric/bundle-source receives a total of 165 weekly downloads. As such, @agoric/bundle-source popularity was classified as not popular.
We found that @agoric/bundle-source demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 5 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
pnpm 10 blocks lifecycle scripts by default to improve security, addressing supply chain attack risks but sparking debate over compatibility and workflow changes.
Product
Socket now supports uv.lock files to ensure consistent, secure dependency resolution for Python projects and enhance supply chain security.
Research
Security News
Socket researchers have discovered multiple malicious npm packages targeting Solana private keys, abusing Gmail to exfiltrate the data and drain Solana wallets.