Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
@lwc/module-resolver
Advanced tools
Implements the LWC module resolver algorithm.
npm install --save-dev @lwc/module-resolver
resolveModule(specifier, importer, options)
Synchronously resolves an LWC module specifier from an import path.
import { resolveModule } from '@lwc/module-resolver';
const result = resolveModule('x/foo', './index.js');
console.log(result);
If the resolver processes an invalid configuration, it throws an error with the LWC_CONFIG_ERROR
error code. If the resolver can't locate the module, it throws an error with the NO_LWC_MODULE_FOUND
error code.
import { resolveModule } from '@lwc/module-resolver';
let result;
try {
result = resolveModule('x/foo', './index.js');
} catch (err) {
if (err.code === 'LWC_CONFIG_ERROR') {
console.error(`The request module can't be resolved due to an invalid configuration`, err);
} else if (err.code === 'NO_LWC_MODULE_FOUND') {
console.error(`The requested module doesn't exists. `, err);
} else {
throw err;
}
}
console.log(result);
Parameters:
specifier
(string, required): The module specifier to resolve.importer
(string, required): The file from where the resolution starts.options
(object, optional):
modules
(ModuleRecord[], optional, default: []
): Injects module records to the resolved configuration.rootDir
(string, optional, default: process.cwd()
): Use only when the modules
option is set. Modules overrides are resolved from this directory.Return value:
A RegistryEntry
representing the resolved module with the following properties:
entry
(string): The absolute path of the module entry point.specifier
(string): The resolved module specifier.scope
(string): The absolute path from where the module has been resolved.The LWC compiler uses a custom resolution algorithm to resolve LWC modules. To configure module resolution, use the lwc.config.json
file or the lwc
key in the package.json
file. The modules
key accepts an array of module records. The resolver iterates through the modules
array and returns the first module that matches the requested module specifier. There are three types of module record:
// lwc.config.json
{
"modules": [
{
"name": "ui/button",
"path": "src/modules/ui/button/button.js"
},
{
"dir": "src/modules"
},
{
"npm": "@ui/components"
}
]
}
An alias module record maps a module specifier to a file path. An alias module record is defined by two keys:
name
(string, required): The LWC module specifier.path
(string, required): The file path to resolve.In this example, the ui/button
LWC module specifier is resolved from the src/modules/ui/button/button.js
path.
{
"modules": [
{
"name": "ui/button",
"path": "src/modules/ui/button/button.js"
}
]
}
A directory module record specifies a folder path where LWC modules are resolved. A directory module record is defined by one key:
dir
(string, required): The directory path containing the modules.{
"modules": [
{
"dir": "src/modules"
}
]
}
The directory module record uses an opinionated folder structure to resolve LWC modules. The directory path can contain one or multiple folders representing the LWC modules namespace
. Each of those namespace folders can contain one or multiple folders representing the different LWC modules in the namespace. The name of the folder defines the LWC module name
. For a module to be resolved, the LWC module folder must have a file matching the LWC module name, this file is the LWC module entry point.
In this example, if the dir
key is set src/modules
, the following LWC modules can be resolved: ui/button
, ui/icons
, shared/utils
.
src
└── modules/
├── ui/
│ ├── button/
│ │ ├── button.js
│ │ └── button.html
│ └── icon/
│ └── icon.js
└── shared/
└── utils/
└── utils.js
An NPM package module record tells the resolver that a given NPM package exposes resolvable LWC modules. More details about how to expose LWC modules out of an NPM package can be found in this section. An NPM package module record is defined by one key:
npm
(string, required): The NPM package name exposing the LWC modules.In this example, the resolver is told to look into the @ui/components
NPM package to look up LWC modules.
{
"modules": [
{
"npm": "@ui/components"
}
]
}
To distribute an LWC module publicly via an NPM package, the package should follow the same the LWC module resolution rules. The NPM package should either have the lwc.config.json
file in its root directory or the lwc
key in its package.json
describing how LWC modules are resolved relative to this package.
By default, an LWC module is not exposed outside of an NPM package. The LWC configuration must explicitly list the public LWC modules on the expose
key.
In this example, the package makes the ui/button
and ui/icon
LWC modules public.
{
"modules": [
{
"dir": "src/modules"
}
],
"expose": ["ui/button", "ui/icon"]
}
FAQs
Resolves paths for LWC components
We found that @lwc/module-resolver demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 0 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.