Research
Security News
Malicious npm Packages Inject SSH Backdoors via Typosquatted Libraries
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
@livestore/wa-sqlite
Advanced tools
Changes include:
src/sqlite-api.js
:
open_v2
but additionally exposes open_v2Sync
which is synchronousserialize
, deserialize
and backup
functionssrc/types/index.d.ts
declare
SQLiteAPI
/ SQLiteVFS
globally but export it properlysrc/examples
dist
This is a WebAssembly build of SQLite with support for writing SQLite virtual filesystems completely in Javascript. This allows alternative browser storage options such as IndexedDB and Origin Private File System. Applications can opt to use either a synchronous or asynchronous (using Asyncify or JSPI) SQLite library build (an asynchronous build is required for asynchronous extensions).
IndexedDB and several Origin Private File System virtual file systems are among the examples provided as proof of concept. A table comparing the different VFS classes is here.
Try the demo or run benchmarks with a modern desktop web browser. More information is available in the FAQ, discussion forums, and API reference.
The primary motivation for this project is to enable additions to SQLite with only Javascript. Most developers should be able to use the pre-built artifacts in ./dist. Note that earlier versions of the project only provided pre-built artifacts in the "buildless" branch; that branch will no longer be maintained.
Minor build customization (e.g. changing build defines or flags) can be done with make arguments, and the helper project sqwab can be used to build without a local build environment.
If you do want to build yourself, here are the prerequisites:
yarn
- If you use a different package manager (e.g. npm
) then file paths in the demo will need adjustment.curl
, make
, openssl
, sed
, tclsh
, unzip
Here are the build steps:
emcc
works.git clone git@github.com:rhashimoto/wa-sqlite.git
cd wa-sqlite
yarn install
make
The default build produces ES6 modules + WASM, synchronous and asynchronous (using Asyncify and JSPI) in dist/
.
Javascript wrappers for core SQLITE C API functions (and some others) are provided. Some convenience functions are also provided to reduce boilerplate. Here is sample code to load the library and call the API:
import SQLiteESMFactory from 'wa-sqlite/dist/wa-sqlite.mjs';
import * as SQLite from 'wa-sqlite';
async function hello() {
const module = await SQLiteESMFactory();
const sqlite3 = SQLite.Factory(module);
const db = await sqlite3.open_v2('myDB');
await sqlite3.exec(db, `SELECT 'Hello, world!'`, (row, columns) => {
console.log(row);
});
await sqlite3.close(db);
}
hello();
There is a slightly more complicated example here that also shows how to use a virtual filesystem (VFS) for persistent storage.
The implementation of sqlite3.exec
may be of interest to anyone wanting more fine-grained use of SQLite statement objects (e.g. for binding parameters, explicit column datatypes, etc.).
To serve the demo directly from the source tree:
yarn start
The demo page provides access to databases on multiple VFS implementations. Query parameters on the demo page URL can be used to specify the configuration and initial state:
Parameter | Purpose | Values | Default |
---|---|---|---|
build | Emscripten build type | default, asyncify, jspi | default |
config | select VFS | MemoryVFS, MemoryAsyncVFS, IDBBatchAtomicVFS, IDBMirrorVFS, AccessHandlePoolVFS, OPFSAdaptiveVFS, OPFSAnyContextVFS, OPFSCoopSyncVFS, OPFSPermutedVFS | uses SQLite internal memory |
reset | clear persistent storage |
For convenience, if any text region is selected in the editor, only that region will be executed. In addition, the editor contents are restored across page reloads using browser localStorage.
MIT License as of February 10, 2023, changed by generous sponsors Fleet Device Management and Reflect. Existing licensees may continue under the GPLv3 or switch to the new license.
FAQs
Changes include:
We found that @livestore/wa-sqlite demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 0 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
Security News
MITRE's 2024 CWE Top 25 highlights critical software vulnerabilities like XSS, SQL Injection, and CSRF, reflecting shifts due to a refined ranking methodology.
Security News
In this segment of the Risky Business podcast, Feross Aboukhadijeh and Patrick Gray discuss the challenges of tracking malware discovered in open source softare.