
Security News
/Research
Compromised Injective SDK npm Package Exfiltrates Wallet Keys and Mnemonics
Compromised Injective SDK npm version 1.20.21 exfiltrates wallet private keys and mnemonics through fake telemetry functionality.
@ecopages/react
Advanced tools
First-class integration for React 19 in Ecopages. This plugin enables React SSR and client hydration, allowing you to build component-level React islands or full React Single Page Applications (SPAs).
bunx jsr add @ecopages/react
Configure the plugin in your eco.config.ts:
import { ConfigBuilder } from '@ecopages/core/config-builder';
import { reactPlugin } from '@ecopages/react';
const config = await new ConfigBuilder()
.setBaseUrl(import.meta.env.ECOPAGES_BASE_URL)
.setIntegrations([reactPlugin()])
.build();
export default config;
By default, Ecopages React acts in island mode:
data-eco-component-id attribute is attached to the component SSR root.createRoot() strictly within that root boundary.[!TIP] Full React SPA Routing: If you are building full React pages and want client-side navigation (SPA), use @ecopages/react-router and pass it to the react plugin:
reactPlugin({ router: ecoRouter() }).
The React plugin includes built-in MDX support. When enabled, you can write .mdx pages alongside .tsx pages with unified client-side routing, hydration, and HMR.
import { ConfigBuilder } from '@ecopages/core/config-builder';
import { reactPlugin } from '@ecopages/react';
const config = await new ConfigBuilder()
.setIntegrations([
reactPlugin({
mdx: {
enabled: true,
compilerOptions: {
// Optional: remark/rehype plugins
},
},
}),
])
.build();
export default config;
The React integration supports Node.js modules and server-only code only on the server execution graph.
node:* modules, database clients, filesystem utilities, etc.Keep server helpers close, but separate them physically or logically so they do not leak into the client bundle.
This section explains the internal contract used to keep the browser bundle minimal while preventing server-only code and request-only configuration from leaking into client output.
The React integration has two jobs that must hold at the same time:
That means the client bundle must keep client-safe render logic, but it must drop server-only imports and server-only eco.page(...) options such as middleware and build-time metadata.
Think about each React page as two related graphs:
The React integration builds the client graph conservatively. If a server-only module becomes reachable from the hydrated render path, the build should fail rather than silently shipping unsafe code.
The client bundle keeps:
The client bundle removes or excludes:
eco.page(...) options such as cache, middleware, metadata, staticProps, and staticPaths.Important:
render must stay in the client bundle, because hydration needs it to reconstruct the page tree.requires does not stay in the browser page config. It is used on the server to decide which locals keys may be serialized into the hydration payload.The browser-bound transform in packages/integrations/react/src/utils/client-graph-boundary-plugin.ts follows this order:
eco.page(...) object properties from the reparsed AST.The reparse step is important. Once import edits change source offsets, the original AST locations are stale. Reusing them for later edits can corrupt the output or remove the wrong code.
eco.page(...) Options Are StrippedImport pruning alone is not enough.
Consider a page like this:
import { authMiddleware } from './auth.server';
export default eco.page({
cache: 'dynamic',
middleware: [authMiddleware],
requires: ['session'] as const,
render: () => <div>Dashboard</div>,
});
If the client transform removes the auth.server import but leaves middleware: [authMiddleware] in place, the browser bundle still contains a dangling identifier. That breaks production hydration even though the import was removed correctly.
The fix is to strip server-only eco.page(...) options after import pruning, while keeping render intact.
localsThe browser must not receive arbitrary request-scoped data.
The React renderer in packages/integrations/react/src/react-renderer.ts serializes only the top-level locals keys explicitly declared by Page.requires. If a page does not declare requires, no locals are serialized for hydration.
Example:
export default eco.page({
requires: ['session'] as const,
render: ({ locals }) => <Dashboard user={locals?.session?.user} />,
});
In this case, the hydration payload may include locals.session, but it will exclude unrelated request-only keys.
Important:
locals.session itself contains sensitive nested fields, those fields will still be serialized.requires.Hydration must rebuild the same tree the server rendered.
That applies to both:
If the page render receives locals on the server and the layout also depends on those values, the client must pass the same serialized locals into the layout during hydration. Otherwise React will detect a mismatch.
The main regression coverage lives in:
eco.page(...) options are stripped from browser bundles.requires keys are serialized into hydration payloads.locals into layouts.locals with persistLayouts both enabled and disabled.If you change the AST transform or hydration flow, update the corresponding tests in the same change.
FAQs
React integration for Ecopages
The npm package @ecopages/react receives a total of 368 weekly downloads. As such, @ecopages/react popularity was classified as not popular.
We found that @ecopages/react demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Security News
/Research
Compromised Injective SDK npm version 1.20.21 exfiltrates wallet private keys and mnemonics through fake telemetry functionality.

Security News
npm v12 is generally available, turning install scripts off by default and beginning the deprecation of 2FA-bypass publishing tokens.

Research
/Security News
Socket tracks the activity as Operation “Muck and Load”: a threat actor uses commit-farming workflows, public dead drops, and protected archives to stage Windows RAT and infostealer malware.