๐Ÿšจ Shai-Hulud Strikes Again:834 Packages Compromised.Technical Analysis โ†’
Socket
Book a DemoInstallSign in
Socket
Book a DemoInstallSign in

@vercel/blob

Package Overview
Dependencies
Maintainers
9
Versions
121
Alerts
File Explorer

Advanced tools

License
Socket logo

Install Socket

Detect and block malicious and high-risk dependencies

Install

@vercel/blob

The Vercel Blob JavaScript API client

Source
npmnpm
Version
0.16.0-99c35286-20231214174115
Version published
Weekly downloads
814K
-29.33%
Maintainers
9
Weekly downloads
ย 
Created
Source

๐Ÿ™ @vercel/blob

The Vercel Blob JavaScript API client.

๐Ÿ‘‰ Quickstart โ€” SDK Reference ๐Ÿ‘ˆ

Installation

npm install @vercel/blob

Quickstart

We have examples on the vercel.com documentation, there are two ways to upload files to Vercel Blob:

  • Server uploads: This is the most common way to upload files. The file is first sent to your server and then to Vercel Blob. It's straightforward to implement, but you are limited to the request body your server can handle. Which in case of a Vercel-hosted website is 4.5 MB. This means you can't upload files larger than 4.5 MB on Vercel when using this method.
  • Client uploads: This is a more advanced solution for when you need to upload larger files. The file is securely sent directly from the client (a browser for example) to Vercel Blob. This requires a bit more work to implement, but it allows you to upload files up to 500 MB.

Releasing

Make sure to include a changeset in your PR. You can do this by running:

pnpm changeset
git commit -am "changeset"
git push

Once such a commit gets merged in main, then GitHub will open a versioning PR you can merge. And the package will be automatically published to npm.

A note for Vite users

@vercel/blob reads the token from the environment variables on process.env. In general, process.env is automatically populated from your .env file during development, which is created when you run vc env pull. However, Vite does not expose the .env variables on process.env.

You can fix this in one of following two ways:

  • You can populate process.env yourself using something like dotenv-expand:
pnpm install --save-dev dotenv dotenv-expand

// vite.config.js
import dotenvExpand from 'dotenv-expand';
import { loadEnv, defineConfig } from 'vite';

export default defineConfig(({ mode }) => {
  // This check is important!
  if (mode === 'development') {
    const env = loadEnv(mode, process.cwd(), '');
    dotenvExpand.expand({ parsed: env });
  }

  return {
    ...
  };
});
  • You can provide the credentials explicitly, instead of relying on a zero-config setup. For example, this is how you could create a client in SvelteKit, which makes private environment variables available via $env/static/private:
import { put } from '@vercel/blob';
+ import { BLOB_TOKEN } from '$env/static/private';

const blob = await head("filepath", {
-  token: '<token>',
+  token: BLOB_TOKEN,
});

FAQs

Package last updated on 14 Dec 2023

Did you know?

Socket

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Install

Related posts

Critical Security Vulnerability in React Server Components

Security News

Critical Security Vulnerability in React Server Components

React disclosed a CVSS 10.0 RCE in React Server Components and is advising users to upgrade affected packages and frameworks to patched versions now.

By Sarah Goodingย  - ย Dec 03, 2025