Research
Security News
Quasar RAT Disguised as an npm Package for Detecting Vulnerabilities in Ethereum Smart Contracts
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
@clutter/wt
Advanced tools
wt
is a JavaScript library to track events in the browser.
The easiest way to install wt
is through Yarn:
yarn add @clutter/wt
Events can be tracked with the function wt.track(params: WTEventParams & Record<string, any>)
.
wt.track({ action: "hover" });
All events have a kind
property that defaults to "event"
. For events that don't require any additional data (e.g. pageview events), there is a simplified syntax to set only the kind
property:
wt.track("pageview");
Multiple events can be tracked by calling wt
several times:
wt.track({ action: "hover" });
// after 0.2 seconds
wt.track({ action: "click" });
Under the hood, wt
is optimized to deal with multiple events.
wt
bundles multiple consecutive events into one request, if they occur within 1.5 seconds.
The goal is to avoid hitting the server too many times.
If multiple events are sent in the same request, each request has its own payload.
wt
includes a list of recognized properties, detailed in WTEventParams
(also see Server Implementation below). Custom properties can also be tracked and will be grouped under a single metadata
property.
@clutter/wt
includes a React integration that supports providing event parameters via React context, validating events, and hooks to easily track events and inspect the current context parameters.
WT exports a default WTProvider
component, and two hooks: useTrack
and useWT
. The provided hooks can only be used within a WTProvider
(calling useWT
or useTrack
will not error, but attempting to track an event will).
const TrackedButton = ({ children }) => {
const track = useTrack();
return <button onClick={() => track()}>{children}</button>;
};
<>
<TrackedButton>I will throw if you click me!</TrackedButton>
<WTProvider>
<TrackedButton>I will not throw!</TrackedButton>
</WTProvider>
</>;
If additional customization is desired, there is also a createProvider
utility which allows for custom typing and added
event control. Each call to createProvider
creates a new, distinct React context meaning that the returned hooks will not work with the default WTProvider
.
type EventParams = WTEventParams & {
customParamA: string;
customParamB?: string;
};
// The returned provider and hooks share a single context and respect the EventParams type
const { WTProvider, useTrack, useWT } = createProvider((params: EventParams) =>
wt.track(params)
);
Context providers may be nested to build event parameters contextually:
const TrackedButton = ({ children }) => {
const track = useTrack();
return <button onClick={() => track()}>{children}</button>;
};
<WTProvider params={{ pageName: "home" }}>
<WTProvider params={{ container: "hero" }}>
{/* Events tracked here will receive the params { pageName: 'home', container: 'hero' } */}
<TrackedButton>I am a hero!</TrackedButton>
</WTProvider>
<WTProvider params={{ container: "body" }}>
{/* Events tracked here will receive the params { pageName: 'home', container: 'body' } */}
<TrackedButton>I have a body!</TrackedButton>
</WTProvider>
</WTProvider>;
useTrack
provides the most flexible interface to track an event in a context aware manner
function List({ children }) {
// Parameters passed to `useTrack` will be merged into each call to `track`
const track = useTrack({ container: "list" });
return (
<ul>
<li>
{/* Parameters can also be passed to individual `track` calls */}
<button onClick={() => track({ position: 1 })}>Item 1</button>
<button onClick={() => track({ position: 2 })}>Item 2</button>
</li>
</ul>
);
}
useWT
can be used if seeing the context event parameters is desired
function List({ children }) {
const { track, params } = useWT();
doSomethingWithPageName(params.pageName);
return (
<button onClick={() => track({ label: "Track me!" })}>Track me!</button>
);
}
Because event parameters can be spread across nested contexts, it can be useful to validate that required params are present.
const validateEvent = (params: any) => {
// Throw an error in severe cases if desired
if (params.name === "John Doe") {
throw new Error("John Doe must remain anonymous!");
}
// Returning a false-y value will bypass sending the event.
return !!params.pageName;
};
const { WTProvider } = createProvider((params) => wt.track(params), {
validateEvent,
});
By default, wt
expects the tracker domain to be the same host as the current page.
This can be changed by initializing wt
with a different trackerDomain
before tracking:
wt.initialize({
trackerDomain: "www.my-pixel-endpoint.com",
});
By default, wt
generates a cookie as a pixel to keep track of a visitor.
This can be changed by initializing wt
with a different domain
and expires
prior to tracking:
wt.initialize({
cookies: {
domain: ".example.com",
expires: 365,
},
});
If part of the payload is the same for every event, it can be set once using set
. For instance calling:
wt.set({
user: {
id: 1,
},
});
ensures that the user ID is sent as part of the payload in any event.
Calling set
multiple times merges values together, preferring new values.
Values already set can be cleared with:
wt.clear();
You may want to subscribe to lifecycle events for the tracker.
import wt, { SEND_COMPLETED } from "@clutter/wt";
wt.subscribe(SEND_COMPLETED, () => {
console.log("Analytics data sent");
});
The lifecycle events are:
SEND_STARTED: "send:started"
- the tracker has started sending data via the tracker pixelSEND_COMPLETED: "send:completed"
- the tracker has finished sending data via the tracker pixelQUEUE_COMPLETED: "queue:completed"
- the tracker has finished sending data via the tracker pixel and no additional events are queuedQUEUE_CONTINUED: "queue:continued"
- the tracker has finished sending data via the tracker pixel and some additional events are queuedCalling this method will return an unsubscribe
method. You can use it to stop listening to the event.
import wt, { SEND_COMPLETED } from "@clutter/wt";
const unsub = wt.subscribe(SEND_COMPLETED, () => {
console.log("Analytics data sent - you'll only see this once");
unsub();
});
Events will be sent to the server by one of two methods:
The query string will use the following structure:
{
events: [
{
// The url of the page triggering the event
url: 'https://www.clutter.com/',
// Referrer of the page if present
referrer: '',
// A uuid which connects all events in a single "pageview" (this is only
// regenerated on browser navigation, not SPA navigation)
page_uuid: '5bf86c66-1d3a-4b69-9a4e-e33ce421d791',
// Epoch MS at the time of the event
ts: '1634596872864'
// Known parameters passed to wt.track are converted to snake case and merged with the event
kind: 'event',
category: 'user_interaction',
action: 'click',
label: 'What\'s your zip code?',
value: '90232',
page_name: 'home',
container: 'hero',
position: '1',
object_type: 'button',
object_name: 'hero_cta',
// Parameters not included in the above list will be grouped under
// a single metadata key (without any transformation).
metadata: {
variant: 'jungle',
button_color: 'toucan'
}
}
],
dimensions: { width: '1680', height: '916' },
agent: 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.71 Safari/537.36',
rts: '1634596873615'
}
[v3.0.0] - Tuesday, Feb 16th, 2023
text/plain
to bypass CORS restrictionsschema
propertymetadata
key explicitly
.set
API to allow setting both metadata and top level propertiesFAQs
`wt` is a JavaScript library to track events in the browser.
The npm package @clutter/wt receives a total of 258 weekly downloads. As such, @clutter/wt popularity was classified as not popular.
We found that @clutter/wt demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 0 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
Security News
Research
A supply chain attack on Rspack's npm packages injected cryptomining malware, potentially impacting thousands of developers.
Research
Security News
Socket researchers discovered a malware campaign on npm delivering the Skuld infostealer via typosquatted packages, exposing sensitive data.