
Research
/Security News
11 Malicious NuGet Tools Pose as Game Cheats to Drop a Windows Host-Surveillance Payload
11 malicious NuGet tools pose as game cheats to deploy Windows payloads, track hosts, and use Google Sheets for telemetry and control.
@czap/cloudflare
Advanced tools
Run LiteShip on Cloudflare Workers: a site adapter with a KV-backed edge cache and the Astro middleware glue that caches boundaries at the edge.
Astro middleware glue that serves LiteShip's per-tier compiled boundary CSS from Cloudflare Workers KV.
Install this directly when you deploy an Astro 7 site on Cloudflare Workers. If you're starting a new project, start with
@czap/astroand add this package when you pick Cloudflare as the host.
pnpm add @czap/cloudflare @czap/astro @astrojs/cloudflare@^14 astro@^7 wrangler@^4
Also install the Effect 4 beta peer with pnpm add effect@beta — a bare pnpm add effect installs 3.x and fails the peer check.
// src/middleware.ts
import { cloudflareMiddleware } from '@czap/cloudflare';
import { boundaries } from 'virtual:czap/boundaries';
export const onRequest = cloudflareMiddleware({
binding: 'CZAP_BOUNDARY_CACHE', // KV namespace name in wrangler.jsonc
manifest: boundaries,
boundary: 'viewport', // optional when the manifest has one entry
});
Each request now resolves the visitor's device tier and serves that tier's precompiled boundary CSS through Astro.locals.czap — locals.czap.edge.cacheStatus reads precompiled or hit once KV is wired. virtual:czap/boundaries is the manifest the @czap/vite plugin derives at build time: each entry carries the boundary's minted content address (a hash of its definition) plus per-tier outputs, so nothing is hand-typed. For editor types, add /// <reference types="@czap/vite/virtual" /> to src/env.d.ts.
For Astro 7 route-cache invalidation, use @czap/cloudflare/cache-provider in astro.config.mjs and pass matching tags to cloudflareMiddleware(). cache.invalidate({ tags }) then purges the same KV tag index that boundary compile fallbacks write.
Because cloudflareMiddleware wraps @czap/astro's czapMiddleware, the Workers edge also gets the responsive-media host projection (#140): Astro.locals.czap.responsiveMedia(intent) derives Save-Data / DPR caps from the request's Client Hints and projects through @czap/core's selectCandidates law, so a Save-Data client on the edge is never advertised a heavy image candidate through src / srcset / <source> / the preload; the responsive Vary axis (Sec-CH-DPR, Save-Data) is merged into the response. Runnable in examples/cloudflare-astro.
A host adapter — it touches Cloudflare APIs (the cloudflare:workers env and KV namespaces) so nothing else has to. It depends on @czap/astro for the middleware contract, @czap/edge for tier detection and the content-addressed cache, and @czap/core for the id types. Boundary authoring and compilation live upstream; this package is the Cloudflare glue for middleware, Workers KV, and Astro 7 cache invalidation. See the
package surfaces map
for the full layout.
A mistyped binding emits a CZAP diagnostic, KV reads return null, writes no-op, and every request falls back to the manifest or compile path with cacheStatus: 'miss'. Check that binding matches the KV namespace name in wrangler.jsonc, then run czap doctor --target cloudflare (from @czap/cli) for a preflight of Astro, adapter, and wrangler config.
Part of LiteShip — powered by the CZAP engine (Content-Zoned Adaptive Projection), distributed as @czap/* packages.
FAQs
Run LiteShip on Cloudflare Workers: a site adapter with a KV-backed edge cache and the Astro middleware glue that caches boundaries at the edge.
We found that @czap/cloudflare demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Research
/Security News
11 malicious NuGet tools pose as game cheats to deploy Windows payloads, track hosts, and use Google Sheets for telemetry and control.

Research
/Security News
4 compromised asyncapi packages deliver miasma botnet loader on macOS, Linux and Windows.

Research
/Security News
A compromised jscrambler npm release added a malicious preinstall hook that runs hidden native binaries on Linux, macOS, and Windows.