
Research
/Security News
jscrambler npm Package Compromised in Supply Chain Attack
A compromised jscrambler npm release added a malicious preinstall hook that runs hidden native binaries on Linux, macOS, and Windows.
@mahpooya/rollup-plugin-size-snapshot
Advanced tools
(Fork for update dependencies)
This plugin provides details about
All of these sizes are important criteria when choosing a library, and they will be stored in the .size-snapshot.json file.
There is also a nice feature for the es output format which provides sizes of treeshaked bundles with both rollup and webpack, so if your library has more than one independent parts, you can track that users will not consume dead code. Such bundles entry point looks like this
// nothing is imported here so nothing should go in user bundle
import {} from "library";
import { sizeSnapshot } from "@mahpooya/rollup-plugin-size-snapshot";
export default {
input: "src/index.js",
output: {
file: "dist/index.js",
format: "es",
},
plugins: [sizeSnapshot()],
};
If you use uglify or terser plugins, then make sure they are placed after this one.
import { uglify } from "rollup-plugin-uglify";
// or import { terser } from "rollup-plugin-terser";
import { sizeSnapshot } from "@mahpooya/rollup-plugin-size-snapshot";
export default {
// ...
plugins: [sizeSnapshot(), uglify({ toplevel: true })],
};
type: string
default: '.size-snapshot.json'
This option allows you to verify that contributors don't forget to build or commit the .size-snapshot.json file. If this is true, the plugin will validate the snapshot against an existing one. Typically, one would define this option's value as true during continuous integration; using it locally is unintended.
type: boolean
default: false
Possible difference between sizes in actual snapshot and generated one.
Note: Make sense only when matchSnapshot is true.
type: number
default: 0
Allows you to disable log to terminal.
type: boolean
default: true
MIT © Bogdan Chadkin
FAQs
(Fork for update dependencies)
The npm package @mahpooya/rollup-plugin-size-snapshot receives a total of 1 weekly downloads. As such, @mahpooya/rollup-plugin-size-snapshot popularity was classified as not popular.
We found that @mahpooya/rollup-plugin-size-snapshot demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Research
/Security News
A compromised jscrambler npm release added a malicious preinstall hook that runs hidden native binaries on Linux, macOS, and Windows.

Research
/Security News
A malicious .NET package is typosquatting the Braintree SDK to steal live payment card data, merchant API keys, and host secrets from production apps.

Security News
/Research
Compromised Injective SDK npm version 1.20.21 exfiltrates wallet private keys and mnemonics through fake telemetry functionality.