Research
Security News
Quasar RAT Disguised as an npm Package for Detecting Vulnerabilities in Ethereum Smart Contracts
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
@babel/preset-modules
Advanced tools
A Babel preset that targets modern browsers by fixing engine bugs.
@babel/preset-modules
ℹ️ Starting from
@babel/preset-env
7.9.0, you can enable thebugfixes: true
option to get the same behavior as using@babel/preset-modules
, but with support for customtargets
. If you need to target browsers with native modules support (like this preset does), you can usetargets: { esmodules: true }
.
A Babel preset that enables async/await, Tagged Templates, arrow functions, destructured and rest parameters, and more in all modern browsers (88% of traffic).
It works around bugs and inconsistencies in modern JavaScript engines by converting broken syntax to the closest non-broken modern syntax. Use this in place of @babel/preset-env
's target.esmodules option for smaller bundle size and improved performance.
This preset is only useful for browsers. You can serve the output to modern browsers while still supporting older browsers using the module/nomodule pattern:
<!-- transpiled with preset-modules: -->
<script type="module" src="modern.js"></script>
<!-- transpiled with preset-env: -->
<script nomodule src="legacy.js"></script>
Install the preset from npm:
npm install @babel/preset-modules --save-dev
To use the preset, add it to your Babel Configuration:
{
"presets": [
"@babel/preset-modules"
]
}
If you're implementing the module/nomodule pattern, your configuration might look something like this:
{
"env": {
"modern": {
"presets": [
"@babel/preset-modules"
]
},
"legacy": {
"presets": [
"@babel/preset-env"
]
}
}
}
There's a single Boolean loose
option, which defaults to false
. Passing true
further reduces output size.
The loose
setting turns off a rarely-needed function name workaround for older versions of Edge. If you're not relying on Function.prototype.name
, it's worth enabling loose mode.
Babel’s preset-env
is great, since it lets you define which Babel features are needed based on a browser support target. In order to make that plumbing work automatically, the preset has configuration that groups all of the new JavaScript syntax features into collections of related syntax transforms. These groups are fairly large, for example "function arguments" includes destructured, default and rest parameters. The groupings come from the fact that Babel’s transforms often rely on other transforms, so they can’t always be applied in isolation.
From this grouping information, Babel enables or disables each group based on the browser support target you specify to preset-env’s targets option. For modern output, the targets.esmodules option is effectively an alias for the set of browsers that support ES Modules: Edge 16+, Safari 10.1+, Firefox 60+ and Chrome 61+.
Here's the problem: if any version of any browser in that list contains a bug triggered by modern syntax, the only solution we have is to enable the corresponding transform group that fixes that bug. This means that fundamentally, preset-env converts code to ES5 in order to get around syntax bugs in ES2017. Since that's the only solution at our disposal, eventually it becomes overused.
For example, all of the new syntax features relating to function parameters are grouped into the same Babel plugin (@babel/plugin-transform-function-parameters
). That means because Edge 16 & 17 support ES Modules but have a bug related to parsing shorthand destructured parameters with default values within arrow functions, all functions get compiled from the new compact argument syntaxes down to ES5:
// this breaks in Edge 16:
const foo = ({ a = 1 }) => {};
// .. but this doesn't:
function foo({ a = 1, b }, ...args) {}
// ... and neither does this:
const foo = ({ a: a = 1 }) => {};
In fact, there are 23 syntax improvements for function parameters in ES2017, and only one of them is broken in ES Modules-supporting browsers. It seems unfortunate to transpile all those great features down to ES5 just for one browser!
This plugin takes a different approach than we've historically taken with JavaScript: it transpiles the broken syntax to the closest non-broken modern syntax. In the above case, here's what is generated to fix all ES Modules-supporting browsers:
input:
const foo = ({ a = 1 }, b = 2, ...args) => [a,b,args];
output:
const foo = ({ a: a = 1 }, b = 2, ...args) => [a,b,args];
That output works in all ES Modules-supporting browsers, and is only 59 bytes minified & gzipped.
Compare this to
@babel/preset-env
'stargets.esmodules
output (147 bytes minified & gzipped):
const foo = function foo(_ref, b) { let { a = 1 } = _ref; if (b === void 0) { b = 2; } for ( var _len = arguments.length, args = new Array(_len > 2 ? _len - 2 : 0), _key = 2; _key < _len; _key++ ) { args[_key - 2] = arguments[_key]; } return [a, b, args]; };
The result is improved bundle size and performance, while supporting the same browsers.
The output generated by this preset includes workarounds for Safari 10, however minifiers like Terser sometimes remove these workarounds. In order to avoid shipping broken code, it's important to tell Terser to preserve the workarounds, which can be done via the safari10
option.
It's also generally the case that minifiers are configured to output ES5 by default, so you'll want to change the output syntax to ES2017.
With Terser's Node API:
terser.minify({
ecma: 2017,
safari10: true
})
With Terser CLI:
terser --ecma 2017 --safari10 ...
With terser-webpack-plugin:
module.exports = {
optimization: {
minimizer: [
new TerserPlugin({
terserOptions: {
ecma: 2017,
safari10: true
}
})
]
}
};
All of the above configurations also apply to uglify-es. UglifyJS (2.x and prior) does not support modern JavaScript, so it cannot be used in conjunction with this preset.
FAQs
A Babel preset that targets modern browsers by fixing engine bugs.
The npm package @babel/preset-modules receives a total of 16,834,327 weekly downloads. As such, @babel/preset-modules popularity was classified as popular.
We found that @babel/preset-modules demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 5 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
Security News
Research
A supply chain attack on Rspack's npm packages injected cryptomining malware, potentially impacting thousands of developers.
Research
Security News
Socket researchers discovered a malware campaign on npm delivering the Skuld infostealer via typosquatted packages, exposing sensitive data.