Security News
Introducing the Socket Python SDK
The initial version of the Socket Python SDK is now on PyPI, enabling developers to more easily interact with the Socket REST API in Python projects.
@metamask/post-message-stream
Advanced tools
A Node.js duplex stream interface over various kinds of JavaScript inter-"process" communication channels, for Node.js and the Web.
Originally the only communication channel used was window.postMessage()
, but the package has since expanded in scope.
ProcessParentMessageStream
and ProcessMessageStream
Node.js child_process.fork()
streams.
The parent process creates a child process with a dedicated IPC channel using child_process.fork()
.
In the parent process:
import { fork } from 'child_process';
import { ProcessParentMessageStream } from '@metamask/post-message-stream';
// `modulePath` is the path to the JavaScript module that will instantiate the
// child stream.
const process = fork(modulePath);
const parentStream = new ProcessParentMessageStream({ process });
parentStream.write('hello');
In the child process:
import { ProcessMessageStream } from '@metamask/post-message-stream';
// The child stream automatically "connects" to the dedicated IPC channel via
// properties on `globalThis.process`.
const childStream = new ProcessMessageStream();
childStream.on('data', (data) => console.log(data + ', world'));
// > 'hello, world'
ThreadParentMessageStream
and ThreadMessageStream
Node.js worker_threads
streams.
The parent process creates a worker thread using new worker_threads.Worker()
.
In the parent environment:
import { Worker } from 'worker_threads';
import { ThreadParentMessageStream } from '@metamask/post-message-stream';
// `modulePath` is the path to the JavaScript module that will instantiate the
// child stream.
const thread = new Worker(modulePath);
const parentStream = new ThreadParentMessageStream({ thread });
parentStream.write('hello');
In the child thread:
import { ThreadMessageStream } from '@metamask/post-message-stream';
// The child stream automatically "connects" to the parent via
// `worker_threads.parentPort`.
const childStream = new ThreadMessageStream();
childStream.on('data', (data) => console.log(data + ', world'));
// > 'hello, world'
WebWorkerParentPostMessageStream
and WebWorkerPostMessageStream
These streams are intended for dedicated Web Workers only. They might sort-of work with shared workers, but attempt that at your own risk.
In the parent window:
import { WebWorkerParentPostMessageStream } from '@metamask/post-message-stream';
const worker = new Worker(url);
const parentStream = new WebWorkerParentPostMessageStream({ worker });
parentStream.write('hello');
In the child WebWorker
:
import { WebWorkerPostMessageStream } from '@metamask/post-message-stream';
const workerStream = new WebWorkerPostMessageStream();
workerStream.on('data', (data) => console.log(data + ', world'));
// > 'hello, world'
WindowPostMessageStream
If you have two windows, A and B, that can communicate over postMessage
, set up a stream in each.
Be sure to make use of the targetOrigin
and targetWindow
parameters to ensure that you are communicating with your intended subject.
In window A, with URL https://foo.com
, trying to communicate with an iframe, iframeB
:
import { WindowPostMessageStream } from '@metamask/post-message-stream';
const streamA = new WindowPostMessageStream({
name: 'streamA', // We give this stream a name that the other side can target.
target: 'streamB', // This must match the `name` of the other side.
// Adding `targetWindow` below already ensures that we will only _send_
// messages to `iframeB`, but we need to specify its origin as well to ensure
// that we only _receive_ messages from `iframeB`.
targetOrigin: new URL(iframeB.src).origin,
// We have to specify the content window of `iframeB` as the target, or it
// won't receive our messages.
targetWindow: iframeB.contentWindow,
});
streamA.write('hello');
In window B, running in an iframe accessible in window A:
const streamB = new WindowPostMessageStream({
// Notice that these values are reversed relative to window A.
name: 'streamB',
target: 'streamA',
// The origin of window A. If we don't specify this, it would default to
// `location.origin`, which won't work if the local origin is different. We
// could pass `*`, but that's potentially unsafe.
targetOrigin: 'https://foo.com',
// We omit `targetWindow` here because it defaults to `window`.
});
streamB.on('data', (data) => console.log(data + ', world'));
// > 'hello, world'
Under the hood, WindowPostMessageStream
uses window.addEventListener('message', (event) => ...)
.
If event.source
is not referentially equal to the stream's targetWindow
, all messages will be ignored.
This can happen in environments where window
objects are proxied, such as Electron.
nvm use
will automatically choose the right node version for you.yarn setup
to install dependencies and run any requried post-install scripts
yarn
/ yarn install
command directly. Use yarn setup
instead. The normal install command will skip required post-install scripts, leaving your development environment in an invalid state.Run yarn test
to run the tests once. To run tests on file changes, run yarn test:watch
.
Run yarn lint
to run the linter, or run yarn lint:fix
to run the linter and fix any automatically fixable issues.
The project follows the same release process as the other libraries in the MetaMask organization. The GitHub Actions action-create-release-pr
and action-publish-release
are used to automate the release process; see those repositories for more information about how they work.
Choose a release version.
If this release is backporting changes onto a previous release, then ensure there is a major version branch for that version (e.g. 1.x
for a v1
backport release).
v1.0.2
release, you'd want to ensure there was a 1.x
branch that was set to the v1.0.1
tag.Trigger the workflow_dispatch
event manually for the Create Release Pull Request
action to create the release PR.
action-create-release-pr
workflow to create the release PR.Update the changelog to move each change entry into the appropriate change category (See here for the full list of change categories, and the correct ordering), and edit them to be more easily understood by users of the package.
yarn auto-changelog validate --rc
to check that the changelog is correctly formatted.Review and QA the release.
Squash & Merge the release.
action-publish-release
workflow to tag the final release commit and publish the release on GitHub.Publish the release on npm.
npm publish --dry-run
to examine the release contents to ensure the correct files are included. Compare to previous releases if necessary (e.g. using https://unpkg.com/browse/[package name]@[package version]/
).npm publish
.[6.1.2]
addEventListener
instead of onmessage
in WebWorkerPostMessageStream (#83)
FAQs
Sets up a duplex object stream over window.postMessage
The npm package @metamask/post-message-stream receives a total of 25,869 weekly downloads. As such, @metamask/post-message-stream popularity was classified as popular.
We found that @metamask/post-message-stream demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 11 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
The initial version of the Socket Python SDK is now on PyPI, enabling developers to more easily interact with the Socket REST API in Python projects.
Security News
Floating dependency ranges in npm can introduce instability and security risks into your project by allowing unverified or incompatible versions to be installed automatically, leading to unpredictable behavior and potential conflicts.
Security News
A new Rust RFC proposes "Trusted Publishing" for Crates.io, introducing short-lived access tokens via OIDC to improve security and reduce risks associated with long-lived API tokens.