Research
Security News
Quasar RAT Disguised as an npm Package for Detecting Vulnerabilities in Ethereum Smart Contracts
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
@agoric/bundle-source
Advanced tools
This package creates source bundles from ES Modules, compatible with Agoric contracts and SwingSet vats.
To bundle your sources, first do
import bundleSource from '@agoric/bundle-source';
const sourceBundleP = bundleSource(new URL('../path/to/toplevel', import.meta.url).pathname);
to get a promise for a source bundle, that resolves after reading the
named sources and bundling them into a form that vats can load, as indicated
by the moduleFormat
below. Currently, the only supported module format
is getExport
. Note that this way of loading external modules is likely to
change.
To obtain the contents of the promised sourceBundleP
, once it resolves, do:
sourceBundleP.then(({moduleFormat, source, sourceMap}) => ...);
or inside an async function (and therefore outside of Jessie), do:
const { moduleFormat, source, sourceMap } = await sourceBundleP;
...
The first main moduleFormat
is the "getExport"
format. It generates
source like:
function getExport() {
let exports = {};
const module = { exports };
// CommonJS source translated from the inputs.
...
return module.exports;
}
To evaluate it and obtain the resulting module namespace, you need to endow
a require
function to resolve external imports.
This is logically similar to the getExport
format, except that the code
may additionally depend upon a nestedEvaluate(src)
function to be used
to evaluate submodules in the same context as the parent function.
The advantage of this format is that it helps preserve the filenames within the bundle in the event of any stack traces.
Also, the toplevel getExport(filePrefix = "/bundled-source")
accepts an
optional filePrefix
argument (which is prepended to relative paths for the
bundled files) in order to help give context to stack traces.
FAQs
Create source bundles from ES Modules
We found that @agoric/bundle-source demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 5 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
Security News
Research
A supply chain attack on Rspack's npm packages injected cryptomining malware, potentially impacting thousands of developers.
Research
Security News
Socket researchers discovered a malware campaign on npm delivering the Skuld infostealer via typosquatted packages, exposing sensitive data.