Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
@optimize-lodash/rollup-plugin
Advanced tools
Rewrite lodash imports with Rollup for improved tree-shaking.
lodash
imports with Rollup.jsThere are multiple issues surrounding tree-shaking of lodash. Minifiers, even with dead-code elimination, cannot currently solve this problem. Check out the test showing that even with terser as a minifier, this plugin can still reduce bundle size by 70% for an example input. With this plugin, bundled code output will only include the specific lodash methods your code requires.
There is also an option to use lodash-es for projects which ship CommonJS and ES builds: the ES build will be transformed to import from lodash-es
.
Note: versions of this plugin prior to 5.x supported NodeJS 12 and Rollup 2.x - 3.x. If you need support for these older versions, please use the 4.x release. Rollup 4.x contains significant performance improvements over previous versions and is highly recommended.
import { isNil, isString } from "lodash";
import { padStart as padStartFp } from "lodash/fp";
import isNil from "lodash/isNil.js";
import isString from "lodash/isString.js";
import padStartFp from "lodash/fp/padStart.js";
useLodashEs
for ES Module OutputWhile lodash-es
is not usable from CommonJS modules, some projects use Rollup to create two outputs: one for ES and one for CommonJS.
In this case, you can offer your users the best of both:
import { isNil } from "lodash";
import isNil from "lodash/isNil.js";
useLodashEs: true
)import { isNil } from "lodash-es";
import { optimizeLodashImports } from "@optimize-lodash/rollup-plugin";
export default {
input: "src/index.js",
output: {
dir: "dist",
format: "cjs",
},
plugins: [optimizeLodashImports()],
};
Configuration can be passed to the plugin as an object with the following keys:
exclude
Type: String
| Array[...String]
Default: null
A minimatch pattern, or array of patterns, which specifies the files in the build the plugin should ignore. By default no files are ignored.
include
Type: String
| Array[...String]
Default: null
A minimatch pattern, or array of patterns, which specifies the files in the build the plugin should operate on. By default all files are targeted.
useLodashEs
Type: boolean
Default: false
If true
, the plugin will rewrite lodash imports to use lodash-es.
Note: the build will fail if your Rollup output format is not also set to es
, esm
, or module
!
appendDotJs
Type: boolean
Default: true
If true
, the plugin will append .js
to the end of CommonJS lodash imports.
Set to false
if you don't want the .js
suffix added (prior to v3.x, this was the default).
This plugin "just works" as a Vite 3.x plugin. Simply add it to plugins
in your Vite config:
import { defineConfig } from "vite";
import react from "@vitejs/plugin-react";
import { optimizeLodashImports } from "@optimize-lodash/rollup-plugin";
// https://vitejs.dev/config/
export default defineConfig({
plugins: [react(), optimizeLodashImports()],
});
Example Vite output for a use of kebabCase:
No plugin | With plugin |
---|---|
dist/assets/index.497fb95b.js 212.88 KiB / gzip: 71.58 KiB | dist/assets/index.54b72c40.js 146.31 KiB / gzip: 47.81 KiB |
A ~23 KiB reduction in compressed size!
Unlike babel-plugin-lodash, there is no support for optimizing the lodash default import, such as in this case:
// this import can't be optimized
import _ from "lodash";
export function testX(x) {
return _.isNil(x);
}
The above code will not be optimized, and the plugin will print a warning. (Note: Vite supresses these warnings at build time unless --debug
is added to the build command.)
To avoid this, always import the specific method(s) you need:
// this import will be optimized
import { isNil } from "lodash";
export function testX(x) {
return isNil(x);
}
babel-plugin-lodash
solves the issue for CommonJS outputs and modifies default imports as well. However, it doesn't enable transparent lodash-es
use and may not make sense for projects using @rollup/plugin-typescript which don't wish to add a Babel step.
Other alternatives include eslint-plugin-lodash
with the import-scope
rule enabled. This works for CommonJS outputs, but may require manual effort to stay on top of imports.
FAQs
Rewrite lodash imports with Rollup for improved tree-shaking.
The npm package @optimize-lodash/rollup-plugin receives a total of 29,163 weekly downloads. As such, @optimize-lodash/rollup-plugin popularity was classified as popular.
We found that @optimize-lodash/rollup-plugin demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 0 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.