![Malicious npm Package Typosquats react-login-page to Deploy Keylogger](https://cdn.sanity.io/images/cgdhsj6q/production/007b21d9cf9e03ae0bb3f577d1bd59b9d715645a-1024x1024.webp?w=400&fit=max&auto=format)
Research
Security News
Malicious npm Package Typosquats react-login-page to Deploy Keylogger
Socket researchers unpack a typosquatting package with malicious code that logs keystrokes and exfiltrates sensitive data to a remote server.
@babel/helper-annotate-as-pure
Advanced tools
Package description
The @babel/helper-annotate-as-pure npm package is a utility within the Babel ecosystem designed to annotate call expressions with a /*#__PURE__*/ comment. This comment hints to JavaScript bundlers and minifiers, such as Terser, that the function call is pure. A pure function call's result can be safely removed if its result is not used, enabling more efficient final bundles by removing unused code.
Annotating a call expression as pure
This feature allows developers to mark specific call expressions as pure, enabling potential removal during the minification process if the result of the call is unused. This is particularly useful for library authors who want to ensure their library's unused parts can be tree-shaken in consumer applications.
import * as t from '@babel/types';
import annotateAsPure from '@babel/helper-annotate-as-pure';
const callExpression = t.callExpression(t.identifier('myFunction'), []);
annotateAsPure(callExpression);
// The callExpression node is now annotated with a /*#__PURE__*/ comment.
Similar to @babel/helper-annotate-as-pure, this package provides a Babel plugin to automatically annotate call expressions and new expressions with /*#__PURE__*/ comments. The key difference is that it operates at the plugin level, automatically applying the annotations across your codebase, rather than requiring manual annotation of each call.
While not a direct alternative, uglifyjs-webpack-plugin interfaces with UglifyJS to minify JavaScript bundles in Webpack projects. It can take advantage of the pure annotations added by @babel/helper-annotate-as-pure to perform tree shaking and dead code elimination, showcasing how such annotations can be utilized in the minification process.
Readme
declare export default annotateAsPure(nodeOrPath: Node | NodePath);
import traverse from "@babel/traverse";
import annotateAsPure from "@babel/helper-annotate-as-pure";
// ...
traverse(file, {
CallExpression(path) {
annotateAsPure(path);
},
});
@babel/helper-annotate-as-pure
will append any existing leading comments to the #__PURE__
annotation. Versions of UglifyJS prior to v3.1.0 will ignore these annotations, as they only check the last leading comment for the annotation.
For example, using the Usage
snippet above:
In
const four = /* foo */ add(2, 2);
Out
const four = /* #__PURE__ */ /* foo */ add(2, 2);
FAQs
Unknown package
We found that @babel/helper-annotate-as-pure demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 4 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket researchers unpack a typosquatting package with malicious code that logs keystrokes and exfiltrates sensitive data to a remote server.
Security News
The JavaScript community has launched the e18e initiative to improve ecosystem performance by cleaning up dependency trees, speeding up critical parts of the ecosystem, and documenting lighter alternatives to established tools.
Product
Socket now supports four distinct alert actions instead of the previous two, and alert triaging allows users to override the actions taken for all individual alerts.