Security News
Crates.io Users Targeted by Phishing Emails
The Rust Security Response WG is warning of phishing emails from rustfoundation.dev targeting crates.io users.
By Sarah Gooding - Sep 12, 2025
waPC JavaScript Host (Node + Browser)
This is the JavaScript implementation of the waPC standard for WebAssembly host runtimes. It allows any WebAssembly module to be loaded as a guest and receive requests for invocation as well as to make its own function requests of the host.
This package defines the protocol for RPC exchange between guest (WebAssembly) modules and the host runtime.
Who is this for?
Library developers who want to load waPC-compliant WebAssembly binaries in nodejs or browser environments. The waPC protocol allows a host to execute arbitrary wasm functions without knowing the exported bindings beforehand.
While waPC does not prescribe a serialization/deserialization format, MessagePack is common recommended unless you need otherwise.
Installation
$ npm install @wapc/host
Usage
Node
const { instantiate } = require('@wapc/host');
const { encode, decode } = require('@msgpack/msgpack');
const { promises: fs } = require('fs');
const path = require('path');
async function main() {
// Read wasm off the local disk as Uint8Array
buffer = await fs.readFile(path.join(__dirname, 'fixtures', 'rust_echo_string.wasm'));
// Instantiate a WapcHost with the bytes read off disk
const host = await instantiate(buffer);
// Encode the payload with MessagePack
const payload = encode({ msg: 'hello world' });
// Invoke the operation in the wasm guest
const result = await host.invoke('echo', payload);
// Decode the results using MessagePack
const decoded = decode(result);
// log to the console
console.log(`Result: ${decoded}`);
}
main().catch(err => console.error(err));
Browser
Browser environments can instantiate from a FetchResponse with waPC.instantiateStreaming(). If the browser does not support streaming wasm then waPC gracefully degrades and waits for the response to complete before instantiating.
<script src="https://unpkg.com/@msgpack/msgpack@2.5.1/dist.es5+umd/msgpack.min.js"></script>
<script src="dist/index.bundle.js"></script>
<script>
(async () => {
// Fetch wasm bytes
response = await fetch('/test/fixtures/rust_echo_string.wasm');
// Instantiate a WapcHost with fetch response object
const host = await waPC.instantiateStreaming(response);
// Encode the arguments to send to the wasm function (Example using msgpack)
const payload = MessagePack.encode({ msg: 'hello world' });
// Invoke the "echo" function in the wasm guest
const result = await host.invoke('echo', payload);
// Decode the results (using msgpack in this example)
const decoded = MessagePack.decode(result);
})();
</script>
Contributing
Running tests
Node unit tests
$ npm run test:unit
Browser unit tests
$ npm run test:browser
Building
$ npm run build
FAQs
waPC host for node.js and the browser
The npm package @wapc/host receives a total of 0 weekly downloads. As such, @wapc/host popularity was classified as not popular.
We found that @wapc/host demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 3 open source maintainers collaborating on the project.
Package last updated on 29 Dec 2021
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Related posts
Product
Introducing Custom Pull Request Alert Comment Headers
Socket now lets you customize pull request alert headers, helping security teams share clear guidance right in PRs to speed reviews and reduce back-and-forth.
By André Staltz - Sep 12, 2025
Product
Rust Support Now in Beta
Socket's Rust support is moving to Beta: all users can scan Cargo projects and generate SBOMs, including Cargo.toml-only crates, with Rust-aware supply chain checks.
By Mikola Lysenko, Trevor Norris - Sep 11, 2025