Research
Security News
Quasar RAT Disguised as an npm Package for Detecting Vulnerabilities in Ethereum Smart Contracts
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
@swimlane/airdrop-cli
Advanced tools
airdrop-cli is a package delivery tool for ES modules from npm packages. Use it to deliver packages from npm to the browser with no external connection needed at runtime.
$ npm install @swimlane/airdrop-cli -g
Or use
npx @swimlane/airdrop-cli
in place ofairdrop
in the examples below.
airdrop add <package> [<package>] [--force] [--bundle] [--optimize] [--clean]
The
add
command is optional; the defaultairdrop
command isadd
.
<package>
: npm package(s) (with optional version or tag) to add--force
: force add package(s) that have already been added--bundle
: bundle the added package(s)--optimize
: minify the generated bundle(s)--clean
: clean output directory before adding new packages--no-color
: disable CLI colorsThe cli supports multiple packages and semantic version ranges. For example
airdrop add lit-element es-module-shims@0.2.3
will install the latest version oflit-element
and an exact version ofes-module-shims
.
Packages added using airdrop <package>
are downloaded into a <package_path>/<name>@<version>/
directory. The same happens for each dependency of <package>
. An import-map in the <package_path>
directory is added or updated.
For example, running airdrop lit-element@2.0.1
results in a <package_path>
directory structure of:
<package_path>
├── lit-element@2.0.1/
├── lit-html@1.0.0/
└── importmap.json
and an import-map of:
{
"imports": {
"lit-element@2.0.1": "<package_root>lit-element@2.0.1/lit-element.js",
"lit-element@2.0.1/": "<package_root>lit-element@2.0.1/",
"lit-element@2": "<package_root>lit-element@2.0.1/lit-element.js",
"lit-element@2/": "<package_root>lit-element@2.0.1/"
},
"scopes": {
"lit-element@2.0.1": {
"lit-html": "<package_root>lit-html@1.0.0/lit-html.js",
"lit-html/": "<package_root>lit-html@1.0.0/"
},
"lit-html@1.0.0": {}
}
}
The
<package_path>
directory is configurable via thepackage_path
property inairdrop.config.js
, the default is./-/
. In the generated import-maps, the package address is configurable via thepackage_root
property, the default is/-/
. This value must start with/
,../
, or./
, or be an absolute URL.
The --bundle
flag adds and bundles each <package>
into a esm bundle (and with inlined dependencies) at <package_path>/<name>@<version>.bundle.js
. The import-map is updated to resolve <name>@<version>
to the bundle.
For example, running airdrop d3@5.9.2 --bundle
results in a root directory structure of:
<package_path>
├── <d3 deps>
├── d3@5.9.2/
├── d3@5.9.2.bundle.js
└── importmap.json
and an import-map of:
{
"imports": {
"d3@5.9.2": "<package_root>d3@5.9.2.bundle.js",
"d3@5": "<package_root>d3@5.9.2.bundle.js"
},
"scopes": {}
}
Note that
airdrop
adds an import of the form<name>@<major-version>
that resolves to the latest local version of the package.
Adding packages requires a connection to the npm registry. Once added an external connection is no longer required. The <package_path>
directory can be deployed with other static assets or just manually copied between systems.
The following commands help move content from one system to another:
airdrop pack [<filename>]
- Creates a tarball from the <package_path>
directory. The <filename>
is optional and defaults to using a timestamp.airdrop merge <filename>
- Unpacks a tarball to the <package_path>
directory, merging the packed import-map with the existing import-map.airdrop init
- Adds an airdrop.config.js
to the current directory and an empty import-map.airdrop version
- Outputs the version number.airdrop config
- Displays current configuration.airdrop clean
- Cleans the output directory.airdrop resolve <package>
- Prints the resolved url for package(s).The added ES modules can be loaded in the browser using a absolute path and full version.
/<package_root>/<name>@<version>[/file-path]
Use
airdrop resolve <package>
to find the resolved path.
<script type="module">
import { html, render } from '/-/lit-html@1.0.0/lit-html.js';
</script>
Or with the dynamic import()
:
<script type="module">
import('/-/lit-html@.1.0.0/lit-html.js')
.then(({ html, render }) => {
console.log(html, render);
});
</script>
While most modern browsers include support for ES modules, bare package specifiers are explicitly forbidden. In order to import bare package specifiers like import "lit-html"
we need import-maps.
Note: import-maps are still an experimental specification. Use es-module-shims to polyfill most of the newer modules specifications. SystemJS also supports import-maps. However,
SystemJS
only loadsSystem.register
modules or AMD modules via extras.
<script type="module" src="/-/es-module-shims@0.2.3/dist/es-module-shims.js"></script>
<script type="importmap-shim" src="/-/importmap.json"></script>
<script type="module-shim">
import { LitElement, css } from 'lit-element@2.1.0';
import { html } from 'lit-html@1.0.0';
class MyElement extends LitElement {
static get properties() {
return {
mood: {type: String}
}
}
static get styles() {
return css`.mood { color: green; }`;
}
render() {
return html`Web Components are <span class="mood">${this.mood}</span>!`;
}
}
customElements.define('my-element', MyElement);
</script>
Bundles can also be imported using fixed versions or bare imports when combined with the import-map.
<script type="module">
import * as d3 from '/-/d3d3@5.9.2.bundle.js';
d3.select('#hello').text('Hello World!!');
</script>
<script type="module" src="/-/es-module-shims@0.2.3/dist/es-module-shims.js"></script>
<script type="importmap-shim" src="/-/importmap.json"></script>
<script type="module-shim">
import * as d3 from 'd3@5.9.2';
d3.select('#hello').text('Hello World!!');
</script>
airdrop
is a Swimlane open-source project; we believe in giving back to the open-source community by sharing some of the projects we build for our application. Swimlane is an automated cyber security operations and incident response platform that enables cyber security teams to leverage threat intelligence, speed up incident response and automate security operations.
FAQs
package-server
We found that @swimlane/airdrop-cli demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 11 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
Security News
Research
A supply chain attack on Rspack's npm packages injected cryptomining malware, potentially impacting thousands of developers.
Research
Security News
Socket researchers discovered a malware campaign on npm delivering the Skuld infostealer via typosquatted packages, exposing sensitive data.