Research
Security News
Malicious npm Packages Inject SSH Backdoors via Typosquatted Libraries
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
@browserify/uglifyify
Advanced tools
A browserify transform which minifies your code using Terser
A Browserify transform which minifies your code using terser.
npm install @browserify/uglifyify
Ordinarily you'd be fine doing this:
browserify index.js | terser -c > bundle.js
But uglifyify is able to yield smaller output by processing files individually instead of just the entire bundle. When using uglifyify you should generally also use Uglify, to achieve the smallest output. Uglifyify provides an additional optimization when used with Uglify, but does not provide all of the optimization that using Uglify on its own does, so it's not a replacement.
Uglifyify gives you the benefit of applying Uglify's "squeeze" transform on each file before it's included in the bundle, meaning you can remove dead code paths for conditional requires. Here's a contrived example:
if (true) {
module.exports = require('./browser')
} else {
module.exports = require('./node')
}
module.exports = require('./node')
will be excluded by Uglify, meaning that
only ./browser
will be bundled and required.
If you combine uglifyify with envify, you can make this a little more accessible. Take this code:
if (process.env.NODE_ENV === 'development') {
module.exports = require('./development')
} else {
module.exports = require('./production')
}
And use this to compile:
NODE_ENV=development browserify -t envify -t @browserify/uglifyify index.js -o dev.js &&
NODE_ENV=production browserify -t envify -t @browserify/uglifyify index.js -o prod.js
It should go without saying that you should be hesitant using environment
variables in a Browserify module - this is best suited to your own
applications or modules built with Browserify's --standalone
tag.
Sometimes, you don't want uglifyify to minify all of your files – for example,
if you're using a transform to require
CSS or HTML, you might get an error
as uglify expects JavaScript and will throw if it can't parse what it's given.
This is done using the -x
or --exts
transform options, e.g. from the
command-line:
browserify \
-t coffeeify \
-t [ @browserify/uglifyify -x .js -x .coffee ]
The above example will only minify .js
and .coffee
files, ignoring the rest.
You might also want to take advantage of uglifyify's pre-bundle minification to produce slightly leaner files across your entire browserify bundle. By default, transforms only alter your application code, but you can use global transforms to minify module code too. From your terminal:
browserify -g @browserify/uglifyify ./index.js > bundle.js
Or programatically:
var browserify = require('browserify')
var fs = require('fs')
var bundler = browserify(__dirname + '/index.js')
bundler.transform('@browserify/uglifyify', { global: true })
bundler.bundle()
.pipe(fs.createWriteStream(__dirname + '/bundle.js'))
Note that this is fine for uglifyify as it shouldn't modify the behavior of your code unexpectedly, but transforms such as envify should almost always stay local – otherwise you'll run into unexpected side-effects within modules that weren't expecting to be modified as such.
Sometimes uglifyjs will break specific files under specific settings – it's
rare, but does happen – and to work around that, you can use the ignore
option. Given one or more glob patterns, you can filter out specific files
this way:
browserify -g [ @browserify/uglifyify --ignore '**/node_modules/weakmap/*' ] ./index.js
var bundler = browserify('index.js')
bundler.transform('@browserify/uglifyify', {
global: true,
ignore: [
'**/node_modules/weakmap/*'
, '**/node_modules/async/*'
]
})
bundler.bundle().pipe(process.stdout)
Uglifyify supports source maps, so you can minify your code and still see the original source – this works especially well with a tool such as exorcist when creating production builds.
Source maps are enabled when:
--debug
flag (or debug
option) to your browserify
bundle.Enabling --debug
with browserify is easy:
browserify -t @browserify/uglifyify --debug index.js
var bundler = browserify({ debug: true })
bundler
.add('index.js')
.transform('@browserify/uglifyify')
.bundle()
.pipe(process.stdout)
If you'd prefer them not to be included regardless, you can opt out
using the sourcemap
option:
browserify -t [ @browserify/uglifyify --no-sourcemap ] app.js
var bundler = browserify('index.js')
bundler.transform('@browserify/uglifyify', { sourceMap: false })
.bundle()
.pipe(process.stdout)
FAQs
A browserify transform which minifies your code using Terser
We found that @browserify/uglifyify demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 39 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
Security News
MITRE's 2024 CWE Top 25 highlights critical software vulnerabilities like XSS, SQL Injection, and CSRF, reflecting shifts due to a refined ranking methodology.
Security News
In this segment of the Risky Business podcast, Feross Aboukhadijeh and Patrick Gray discuss the challenges of tracking malware discovered in open source softare.