
Security News
Risky Biz Podcast: AI Agents Are Raising the Stakes for Software Supply Chain Security
Open source attacks are accelerating as AI coding agents pull in dependencies faster, with less human review.
@ecopages/core
Advanced tools
The foundational engine for the Ecopages framework. It provides the core build pipeline, development server, routing, and plugin architecture required to run an Ecopages application.
Ecopages is an extensible static site generator (SSG) built around a Bun-first core with Node fallback support and Vite-hosted compatibility for advanced dev and build orchestration. It embraces a strictly MPA (Multi-Page Application) architecture by default, rendering HTML at build-time or request-time, and hydrating interactive islands only where necessary.
createApp() prefers Bun when available and falls back to Node otherwise. Vite and Nitro still own host-side dev and build orchestration.The current core package is organized around app-owned runtime state and explicit service boundaries.
The important ownership rules are:
ConfigBuilder.build() finalizes app-owned build and runtime services.flowchart TD
A[eco.config.ts] --> B[ConfigBuilder.build]
B --> C[App build adapter]
B --> D[App build manifest]
B --> E[Build executor]
B --> F[Dev graph service]
B --> G[Host module loader boundary]
G --> H[PageModuleImportService]
E --> H
E --> I
E --> I[BrowserBundleService]
H --> J[Runtime app adapter]
J --> K[Bun adapter or Node adapter]
D --> I
flowchart TD
A[File change] --> B[ProjectWatcher]
B --> C[DevelopmentInvalidationService]
C --> D{Change kind}
D -->|Route or server source| E[Invalidate server modules]
D -->|Public or include| F[Reload browser]
D -->|Processor-owned asset| G[Notify processor only]
D -->|HMR-eligible source| H[Core HMR manager]
H --> I[Strategy selection]
I --> J[Core JsHmrStrategy]
I --> K[Integration strategy e.g. ReactHmrStrategy]
J --> L[BrowserBundleService]
K --> L
K --> M[importServerModule]
M --> N[ServerModuleTranspiler]
L --> O[Updated browser bundle]
O --> P[Client bridge broadcast]
The manager/orchestration layer is core-owned, but framework-specific strategies such as React HMR are contributed by integrations and registered with the shared HMR manager.
ConfigBuilder seeds one app-owned build ownership path, adapter, manifest, executor, dev graph, and runtime registry.BrowserBundleService is the shared browser build seam used by HMR and asset-oriented browser output paths.ServerModuleTranspiler is the shared server-side source loading seam used by runtime bootstrap and HMR metadata loading.createApp() stays the universal runtime entrypoint, while Vite and Nitro hosts own their advanced dev and build workflows.ViteHostBuildAdapter boundary marker instead.Use this package README as the top-level map, then drill into the focused subsystem READMEs:
src/config/README.md: config finalization and app-owned runtime/build statesrc/plugins/README.md: integration and processor authoring contractssrc/build/README.md: build adapter, executor, and development build coordinationsrc/services/README.md: cross-cutting runtime services and orchestration helperssrc/adapters/README.md: Bun, Node, and shared adapter boundariessrc/hmr/README.md: HMR strategy and update-layer ownershipsrc/router/README.md: route discovery, matching, and browser navigation coordinationsrc/route-renderer/README.md: rendering orchestration and dependency resolutionsrc/static-site-generator/README.md: static build execution pathsrc/eco/README.md: eco authoring APIs for pages, layouts, and componentsThe intended reading order is:
src/config/README.md for config and lifecycle ownershipsrc/plugins/README.md and src/build/README.md for contribution contractssrc/services/README.md and src/adapters/README.md for runtime executionsrc/router/README.md and src/route-renderer/README.md for request-time flowbun add @ecopages/core
(You can also use npm, yarn, or pnpm)
The Ecopages architecture revolves around an eco.config.ts file and an application entry point.
eco.config.ts)Configure your integratons, processors, and default metadata. Ecopages uses a builder pattern:
import { ConfigBuilder } from '@ecopages/core/config-builder';
// import your desired plugins...
const config = await new ConfigBuilder()
.setRootDir(import.meta.dirname)
.setBaseUrl(import.meta.env.ECOPAGES_BASE_URL ?? 'http://localhost:3000')
.setDefaultMetadata({
title: 'My Ecopages Site',
description: 'Built with Ecopages',
})
// .setIntegrations([kitajsPlugin()])
.build();
export default config;
app.ts)Start the application using createApp. It will choose the Bun adapter when Bun is available and fall back to Node otherwise.
import { createApp } from '@ecopages/core/create-app';
import appConfig from './eco.config';
const app = await createApp({ appConfig });
await app.start();
Use the eco.page() factory to define static routes. Place these in src/pages/:
import { eco } from '@ecopages/core';
import { BaseLayout } from '@/layouts/base-layout';
export default eco.page({
layout: BaseLayout,
metadata: () => ({
title: 'Home',
}),
render: () => (
<div>
<h1>Welcome to Ecopages</h1>
</div>
),
});
Define components with eco.component() to automatically inject necessary stylesheets or scripts only when that component is rendered:
import { eco } from '@ecopages/core';
export const MyButton = eco.component({
dependencies: {
stylesheets: ['./button.css'],
},
render: ({ label }) => <button className="my-button">{label}</button>,
});
Dependency ownership affects final asset packaging:
eco.html() stay Html-owned and can be emitted as shared app-wide assets.Add server-side routes using defineApiHandler. Register them on your app instance before starting:
import { defineApiHandler } from '@ecopages/core';
export const helloWorld = defineApiHandler({
path: '/api/hello',
method: 'GET',
handler: async ({ response }) => {
return response.json({ message: 'Hello World' });
},
});
Attach the handler in your app.ts entry:
// app.ts
import { createApp } from '@ecopages/core/create-app';
import { helloWorld } from './handlers/hello';
import appConfig from './eco.config';
const app = await createApp({ appConfig });
app.get(helloWorld); // Register the API handler
await app.start();
See the official documentation for advanced usage, API handlers, and integrations.
Use the create-app subpath for runtime startup and the root package for standard authoring helpers:
import { createApp } from '@ecopages/core/create-app';
import { defineApiHandler, defineGroupHandler, eco } from '@ecopages/core';
[!NOTE]
createAppis the recommended entrypoint overEcopagesApp.
Use runtime-specific subpaths only when you explicitly need Bun-native APIs that bypass the universal abstractions:
@ecopages/core/bunThe published subpaths are grouped by architectural role rather than by source folder.
Use these entrypoints when building an Ecopages app:
@ecopages/core@ecopages/core/create-app@ecopages/core/config-builder@ecopages/core/errors@ecopages/core/html@ecopages/core/hash@ecopages/core/declarations@ecopages/core/env@ecopages/core/bunUse these entrypoints when a browser runtime needs to coordinate document ownership and link intent:
@ecopages/core/router/navigation-coordinator@ecopages/core/router/link-intentUse these entrypoints when implementing integrations, processors, or source transforms:
@ecopages/core/plugins/integration-plugin@ecopages/core/plugins/processor@ecopages/core/plugins/source-transform@ecopages/core/route-renderer/integration-renderer@ecopages/core/services/asset-processing-service@ecopages/core/hmr/hmr-strategy@ecopages/core/integrations/ghtmlUse these entrypoints only when implementing host adapters or framework-owned bundling seams:
@ecopages/core/dev/host-runtime@ecopages/core/build/build-adapter@ecopages/core/build/build-types@ecopages/core/plugins/foreign-jsx-override-pluginThese host-facing entrypoints are narrower compatibility seams. App code and most extensions should prefer the app-authoring or extension-authoring surfaces.
FAQs
Core package for Ecopages
We found that @ecopages/core demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Security News
Open source attacks are accelerating as AI coding agents pull in dependencies faster, with less human review.

Research
/Security News
Malicious Chrome and Firefox extensions posed as free VPNs while stealing clipboard data through later extension updates.

Research
/Security News
Miasma Mini Shai-Hulud hits @immobiliarelabs Backstage plugins, targeting GitLab and LDAP auth packages on npm.