Huge News!Announcing our $40M Series B led by Abstract Ventures.Learn More
Socket
Sign inDemoInstall
Socket

@bytecodealliance/componentize-js

Package Overview
Dependencies
Maintainers
3
Versions
38
Alerts
File Explorer

Advanced tools

Socket logo

Install Socket

Detect and block malicious and high-risk dependencies

Install

@bytecodealliance/componentize-js

<code>ComponentizeJS</code>

  • 0.8.2
  • npm
  • Socket score

Version published
Weekly downloads
5.9K
decreased by-57.2%
Maintainers
3
Weekly downloads
 
Created
Source

ComponentizeJS

ESM -> WebAssembly Component creator,
via a SpiderMonkey JS engine embedding

A Bytecode Alliance project

build status

Overview

Provides a Mozilla SpiderMonkey embedding that takes as input a JavaScript source file and a WebAssembly Component WIT World, and outputs a WebAssembly Component binary with the same interface.

Note: This is an experimental project, no guarantees are provided for stability or support and breaking changes may be made in future.

Example

See the end-to-end example workflow for creating a JS component and running it in Wasmtime or Node.js.

Explainer

For background on the concepts involved, see https://bytecodealliance.org/articles/making-javascript-run-fast-on-webassembly.

The goal of this project specifically is to provide a comprehensive dynamic bindings system for creating arbitrary WebAssembly Components from JavaScript. That is, to provide full flexibility over the resultant JS environment and WIT World.

Wizer Pre-Initialization

Adaption follows the standard Wizer technique in pre-initializing a snapshot of the runtime against the source and bindings.

The snapshotting process executes the JS engine initialization, globals and parsing and compiling of the source code. Currently we also evaluate the top-level of the source so that the executed exports of the top-level ES module are provided already initialized.

As a result, at runtime - only the bytecode is being executed, without any initialization costs. This makes on-demand Wasm execution of JS incredibly fast.

SpiderMonkey Embedding

As a dynamic language with quirks, JavaScript cannot be compiled directly into bytecode without including a comprehensive ECMA-262 spec-compliant runtime engine. Componentization of JavaScript thus involves embedding the JS runtime engine into the component itself.

SpiderMonkey is chosen here as a JS engine with first-class WASI build support, using an embedding of the StarlingMonkey Wasm engine. The total embedding size is around 8MB.

One of the security benefits of the component model is complete code isolation apart from the shared-nothing code boundaries between components. By fully encapsulating the engine embedding for each individual component, this maintains comprehensive per-component isolation.

As more components are written in JavaScript, and there exist scenarios where multiple JS components are communicating in the same application, the plan for optimization here is to share the SpiderMonkey engine embedding between them. This can be done without breaking the shared-nothing semantics by having the engine itself loaded as a shared library of the components. Sharing functions via same SpiderMonkey build, not memory.

Establishing this initial prototype as a singular flexible engine foundation that can be turned into a shared library is therefore the focus for this project.

Platform APIs

The following APIs are available:

  • Legacy Encoding: atob, btoa, decodeURI, encodeURI, decodeURIComponent, encodeURIComponent
  • Streams: ReadableStream, ReadableStreamBYOBReader, ReadableStreamBYOBRequest, ReadableStreamDefaultReader, ReadableStreamDefaultController, ReadableByteStreamController, WritableStream ByteLengthQueuingStrategy CountQueuingStrategy, TransformStream
  • URL: URL URLSearchParams
  • Console: console
  • Performance: Performance
  • Task: queueMicrotask, setInterval setTimeout clearInterval clearTimeout
  • Location: WorkerLocation, location
  • Encoding: TextEncoder, TextDecoder, CompressionStream, DecompressionStream
  • Structured Clone: structuredClone
  • Fetch: fetch Request Response Headers
  • Crypto: SubtleCrypto Crypto crypto CryptoKey

Usage

Install and run as a Node.js library:

npm install @bytecodealliance/componentize-js
import { componentize } from '@bytecodealliance/componentize-js';
import { writeFile } from 'node:fs/promises';

const { component } = await componentize(`
  export function hello (name) {
    return \`Hello \${name}\`;
  }
`, `
  package local:hello;
  world hello {
    export hello: func(name: string) -> string;
  }
`, {
  // recommended to get error debugging
  // disable to get a "pure component" without WASI imports
  enableStdout: true
});

await writeFile('test.component.wasm', component);

The component iself can be executed in any component runtime, see the example for a full workflow.

Features

The set of enabled features in the engine can be customized depending on the target world and expected capabilities.

The default set of features includes:

  • 'stdio': Output to stderr and stdout for errors and console logging, depends on wasi:cli and wasi:io.
  • 'random': Support for cryptographic random, depends on wasi:random. When disabled, random numbers will still be generated but will not be random and instead fully deterministic.
  • 'clocks': Support for clocks and duration polls, depends on wasi:clocks and wasi:io. When disabled, using any timer functions like setTimeout or setInterval will panic.

Setting disableFeatures: ['random', 'stdio', 'clocks'] will disable all features creating a minimal "pure component", that does not depend on any WASI APIs at all and just the target world.

Note that pure components will not report errors and will instead trap, so that this should only be enabled after very careful testing.

Note that features explicitly imported by the target world cannot be disabled - if you target a component to a world that imports wasi:clocks, then disableFeatures: ['clocks'] will not be supported.

API

export function componentize(jsSource: string, opts: {
  witPath: string,
  worldName: string,
  debug?: bool,
  sourceName?: string,
  engine?: string,
  preview2Adapter?: string,
  disableFeatures?: ('stdio' | 'random' | 'clocks')[],
}): {
  component: Uint8Array,
  imports: string[]
}

Converts a JS source into a component binary.

Contributing

Pre-requisites

  • git submodule update --init --recursive to update the submodules.
  • Stable Rust with the wasm32-unknown-unknown and wasm32-wasi targets installed.
  • wasi-sdk-20.0 installed at /opt/wasi-sdk/

Building and testing

Building and testing is based on a npm install && npm run build && npm run test workflow.

License

This project is licensed under the Apache 2.0 license with the LLVM exception. See LICENSE for more details.

Contribution

Unless you explicitly state otherwise, any contribution intentionally submitted for inclusion in this project by you, as defined in the Apache-2.0 license, shall be licensed as above, without any additional terms or conditions.

FAQs

Package last updated on 22 Mar 2024

Did you know?

Socket

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Install

Related posts

SocketSocket SOC 2 Logo

Product

  • Package Alerts
  • Integrations
  • Docs
  • Pricing
  • FAQ
  • Roadmap
  • Changelog

Packages

npm

Stay in touch

Get open source security insights delivered straight into your inbox.


  • Terms
  • Privacy
  • Security

Made with ⚡️ by Socket Inc