Research
Security News
Quasar RAT Disguised as an npm Package for Detecting Vulnerabilities in Ethereum Smart Contracts
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
@vercel/ncc
Advanced tools
Simple CLI for compiling a Node.js module into a single file, together with all its dependencies, gcc-style.
@vercel/ncc is a simple CLI tool used to compile a Node.js project into a single file, including all of its dependencies. This can be useful for reducing the complexity of deployment, improving startup time, and simplifying the distribution of Node.js applications.
Compile a Node.js project
This command compiles the Node.js project starting from 'src/index.js' and outputs the result to the 'dist' directory. The output will be a single JavaScript file that includes all dependencies.
ncc build src/index.js -o dist
Minify the output
This command compiles and minifies the Node.js project starting from 'src/index.js' and outputs the result to the 'dist' directory. Minification reduces the file size by removing unnecessary characters and whitespace.
ncc build src/index.js -o dist --minify
Source maps generation
This command compiles the Node.js project and generates source maps, which are useful for debugging. The source maps help map the minified code back to the original source code.
ncc build src/index.js -o dist --source-map
Watch mode
This command runs @vercel/ncc in watch mode, which means it will automatically recompile the project whenever a file changes. This is useful for development purposes.
ncc build src/index.js -o dist --watch
Webpack is a popular module bundler for JavaScript applications. It can bundle multiple modules into a single file or multiple files, and it offers a wide range of plugins and configuration options. Compared to @vercel/ncc, Webpack is more flexible and can be used for both frontend and backend projects, but it requires more configuration.
Rollup is a module bundler for JavaScript that focuses on ES6 modules. It is known for its tree-shaking feature, which removes unused code from the final bundle. Rollup is often used for libraries and smaller projects. Compared to @vercel/ncc, Rollup provides more control over the bundling process but may require additional plugins for certain features.
Parcel is a zero-configuration bundler that works out of the box. It supports both JavaScript and TypeScript and can handle various types of assets like CSS, HTML, and images. Parcel is designed to be easy to use and fast. Compared to @vercel/ncc, Parcel is more suitable for frontend projects and offers a simpler setup process.
Simple CLI for compiling a Node.js module into a single file, together with all its dependencies, gcc-style.
go
)npm i -g @vercel/ncc
$ ncc <cmd> <opts>
Eg:
$ ncc build input.js -o dist
If building an .mjs
or .js
module inside a "type": "module"
package boundary, an ES module output will be created automatically.
Outputs the Node.js compact build of input.js
into dist/index.js
.
Note: If the input file is using a
.cjs
extension, then so will the corresponding output file. This is useful for packages that want to use.js
files as modules in native Node.js using a"type": "module"
in the package.json file.
build <input-file> [opts]
run <input-file> [opts]
cache clean|dir|size
help
version
-o, --out [dir] Output directory for build (defaults to dist)
-m, --minify Minify output
-C, --no-cache Skip build cache population
-s, --source-map Generate source map
-a, --asset-builds Build nested JS assets recursively, useful for
when code is loaded as an asset eg for workers.
--no-source-map-register Skip source-map-register source map support
-e, --external [mod] Skip bundling 'mod'. Can be used many times
-q, --quiet Disable build summaries / non-error outputs
-w, --watch Start a watched build
-t, --transpile-only Use transpileOnly option with the ts-loader
--v8-cache Emit a build using the v8 compile cache
--license [file] Adds a file containing licensing information to the output
--stats-out [file] Emit webpack stats as json to the specified output file
--target [es] ECMAScript target to use for output (default: es2015)
Learn more: https://webpack.js.org/configuration/target
-d, --debug Show debug logs
For testing and debugging, a file can be built into a temporary directory and executed with full source maps support with the command:
$ ncc run input.js
The only requirement is to point ncc
to .ts
or .tsx
files. A tsconfig.json
file is necessary. Most likely you want to indicate es2015
support:
{
"compilerOptions": {
"target": "es2015",
"moduleResolution": "node"
}
}
If typescript is found in devDependencies
, that version will be used.
Some packages may need some extra options for ncc support in order to better work with the static analysis.
See package-support.md for some common packages and their usage with ncc.
require('@vercel/ncc')('/path/to/input', {
// provide a custom cache path or disable caching
cache: "./custom/cache/path" | false,
// externals to leave as requires of the build
externals: ["externalpackage"],
// directory outside of which never to emit assets
filterAssetBase: process.cwd(), // default
minify: false, // default
sourceMap: false, // default
assetBuilds: false, // default
sourceMapBasePrefix: '../', // default treats sources as output-relative
// when outputting a sourcemap, automatically include
// source-map-support in the output file (increases output by 32kB).
sourceMapRegister: true, // default
watch: false, // default
license: '', // default does not generate a license file
target: 'es2015', // default
v8cache: false, // default
quiet: false, // default
debugLog: false // default
}).then(({ code, map, assets }) => {
console.log(code);
// Assets is an object of asset file names to { source, permissions, symlinks }
// expected relative to the output code (if any)
})
When watch: true
is set, the build object is not a promise, but has the following signature:
{
// handler re-run on each build completion
// watch errors are reported on "err"
handler (({ err, code, map, assets }) => { ... })
// handler re-run on each rebuild start
rebuild (() => {})
// close the watcher
void close ();
}
FAQs
Simple CLI for compiling a Node.js module into a single file, together with all its dependencies, gcc-style.
The npm package @vercel/ncc receives a total of 531,245 weekly downloads. As such, @vercel/ncc popularity was classified as popular.
We found that @vercel/ncc demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 9 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
Security News
Research
A supply chain attack on Rspack's npm packages injected cryptomining malware, potentially impacting thousands of developers.
Research
Security News
Socket researchers discovered a malware campaign on npm delivering the Skuld infostealer via typosquatted packages, exposing sensitive data.