Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
@xylabs/threads
Advanced tools
Offload CPU-intensive tasks to worker threads in node.js, web browsers and electron using one uniform API.
Uses web workers in the browser, worker_threads
in node 12+ and tiny-worker
in node 8 to 11.
You can find the old version 0.12 of threads.js on the v0
branch. All the content on this page refers to version 1.0 which is a rewrite of the library with a whole new API.
npm install threads tiny-worker
You only need to install the tiny-worker
package to support node.js < 12. It's an optional dependency and used as a fallback if worker_threads
are not available.
Running code using threads.js in node works out of the box.
Note that we wrap the native Worker
, so new Worker("./foo/bar")
will resolve the path relative to the module that calls it, not relative to the current working directory.
That aligns it with the behavior when bundling the code with webpack or parcel.
Use with the threads-plugin
. It will transparently detect all new Worker("./unbundled-path")
expressions, bundles the worker code and replaces the new Worker(...)
path with the worker bundle path, so you don't need to explicitly use the worker-loader
or define extra entry points.
npm install -D threads-plugin
Then add it to your webpack.config.js
:
+ const ThreadsPlugin = require('threads-plugin');
module.exports = {
// ...
plugins: [
+ new ThreadsPlugin()
]
// ...
}
If you are using webpack to create a bundle that will be run in node (webpack config target: "node"
), you also need to specify that the tiny-worker
package used for node < 12 should not be bundled:
module.exports = {
// ...
+ externals: {
+ "tiny-worker": "tiny-worker"
+ }
// ...
}
Make sure that tiny-worker
is listed in your package.json
dependencies
in that case.
Note: You'll need to be using Typescript version 4+, as the types generated by threads.js are not supported in Typescript 3.
Make sure the TypeScript compiler keeps the import
/ export
statements intact, so webpack resolves them. Otherwise the threads-plugin
won't be able to do its job.
module.exports = {
// ...
module: {
rules: [
{
test: /\.ts$/,
loader: "ts-loader",
+ options: {
+ compilerOptions: {
+ module: "esnext"
+ }
+ }
}
]
},
// ...
}
You need to import threads/register
once at the beginning of your application code (in the master code, not in the workers):
import { spawn } from "threads"
+ import "threads/register"
// ...
const work = await spawn(new Worker("./worker"))
This registers the library's Worker
implementation for your platform as the global Worker
. This is necessary, since you cannot import { Worker } from "threads"
or Parcel won't recognize new Worker()
as a web worker anymore.
Be aware that this might affect any code that tries to instantiate a normal web worker Worker
and now instead instantiates a threads.js Worker
. The threads.js Worker
is just a web worker with some sugar on top, but that sugar might have unexpected side effects on third-party libraries.
Everything else should work out of the box.
// master.js
import { spawn, Thread, Worker } from "threads"
const auth = await spawn(new Worker("./workers/auth"))
const hashed = await auth.hashPassword("Super secret password", "1234")
console.log("Hashed password:", hashed)
await Thread.terminate(auth)
// workers/auth.js
import sha256 from "js-sha256"
import { expose } from "threads/worker"
expose({
hashPassword(password, salt) {
return sha256(password + salt)
}
})
The hashPassword()
function of the auth
object in the master code proxies the call to the hashPassword()
function in the worker:
If the worker's function returns a promise or an observable then you can just use the return value as such in the master code. If the function returns a primitive value, expect the master function to return a promise resolving to that value.
Use expose()
to make a function or an object containing methods callable from the master thread.
In case of exposing an object, spawn()
will asynchronously return an object exposing all the object's functions. If you expose()
a function, spawn
will also return a callable function, not an object.
Find the full documentation on the website:
Threads.js works with webpack. Usually all you need to do is adding the
threads-plugin
.
See Build with webpack on the website for details.
We are using the debug
package to provide opt-in debug logging. All the package's debug messages have a scope starting with threads:
, with different sub-scopes:
threads:master:messages
threads:master:spawn
threads:master:thread-utils
threads:pool:${poolName || poolID}
Set it to DEBUG=threads:*
to enable all the library's debug logging. To run its tests with full debug logging, for instance:
DEBUG=threads:* npm test
MIT
FAQs
Web workers & worker threads as simple as a function call
The npm package @xylabs/threads receives a total of 799 weekly downloads. As such, @xylabs/threads popularity was classified as not popular.
We found that @xylabs/threads demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 5 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.