Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
@miherlosev/esm
Advanced tools
The brilliantly simple, babel-less, bundle-less ECMAScript module loader.
esm
is the world’s most advanced ECMAScript module loader. This fast, production ready, zero dependency loader is all you need to support ECMAScript modules in Node 6+. See the release post and video for details!
New projects
Run npm init esm
or yarn create esm
.
:bulb: Use the -y
flag to answer “yes” to all prompts.
Existing projects
Run npm i esm
or yarn add esm
.
There are two ways to enable esm
.
Enable esm
for packages:
Use esm
to load the main ES module and export it as CommonJS.
index.js
// Set options as a parameter, environment variable, or rc file.
require = require("esm")(module/*, options*/)
module.exports = require("./main.js")
main.js
// ESM syntax is supported.
export {}
:bulb: These files are automagically created with npm init esm
or yarn create esm
.
Enable esm
for local runs:
node -r esm main.js
:bulb: Omit the filename to enable esm
in the REPL.
:clap: By default, :100: percent CJS interoperability is enabled so you can get stuff done.
:lock: .mjs
files are limited to basic functionality without support for esm
options.
Out of the box esm
just works, no configuration necessary, and supports:
import
/export
import.meta
import
stdin
, --eval
, --print
flags--check
flag (Node 10+)Specify options with one of the following:
"esm"
field in package.json
.esmrc.js
, .esmrc.cjs
, or .esmrc.mjs
file.esmrc
or .esmrc.json
fileESM_OPTIONS
environment variableESM_DISABLE_CACHE
environment variable{ | |||||||||||||||||||||
"cjs":true | A boolean or object for toggling CJS features in ESM. Features
| ||||||||||||||||||||
"mainFields":["main"] | An array of fields checked when importing a package. | ||||||||||||||||||||
"mode":"auto" | A string mode:
| ||||||||||||||||||||
"await":false | A boolean for top-level | ||||||||||||||||||||
"force":false | A boolean to apply these options to all module loads. | ||||||||||||||||||||
"wasm":false | A boolean for WebAssembly module support. (Node 8+) | ||||||||||||||||||||
} |
{ | |
"cache":true | A boolean for toggling cache creation or a cache directory path. |
"sourceMap":false | A boolean for including inline source maps. |
} |
For bundlers like browserify
+esmify
,
parcel-bundler
, and webpack
add a "module"
field to package.json
pointing to the main ES module.
"main": "index.js",
"module": "main.js"
:bulb: This is automagically done with npm init esm
or yarn create esm
.
esm
for wallaby.js
following their
integration example.Load esm
before loaders/monitors like
@babel/register
,
newrelic
,
sqreen
, and
ts-node
.
Load esm
for jasmine
using the
"helpers"
field in jasmine.json
:
"helpers": [
"node_modules/esm"
]
Load esm
with “node-args" options of:
pm2
: --node-args="-r esm"
Load esm
with “require” options of
ava
,
mocha
,
nodemon
,
nyc
,
qunit
,
tape
, and
webpack
.
:bulb: Builtin require
cannot sideload .mjs
files. However, .js
files
can be sideloaded or .mjs
files may be loaded with dynamic import
.
FAQs
Tomorrow's ECMAScript modules today!
The npm package @miherlosev/esm receives a total of 28,214 weekly downloads. As such, @miherlosev/esm popularity was classified as popular.
We found that @miherlosev/esm demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.