Research
Security News
Kill Switch Hidden in npm Packages Typosquatting Chalk and Chokidar
Socket researchers found several malicious npm packages typosquatting Chalk and Chokidar, targeting Node.js developers with kill switches and data theft.
acorn-import-assertions
Advanced tools
The acorn-import-assertions package is a plugin for the Acorn JavaScript parser. It adds support for parsing import assertions, which are a stage 3 proposal for ECMAScript that allows developers to make assertions about the type of module they are importing. This is particularly useful for distinguishing between different types of modules, such as JSON modules, CSS modules, or other non-JavaScript content.
Parsing import assertions
This feature allows the parsing of import statements with assertions. The code sample demonstrates how to extend the Acorn parser with the importAssertions plugin and parse a piece of code that includes an import statement with an assertion.
import assert from 'assert';
import { Parser } from 'acorn';
import importAssertions from 'acorn-import-assertions';
const code = "import json from './data.json' assert { type: 'json' };";
const ast = Parser.extend(importAssertions).parse(code, { sourceType: 'module' });
assert(ast.body[0].assertions[0].value.value === 'json');
es-module-lexer is a fast lexer for ES module syntax, including import assertions. While acorn-import-assertions is a plugin for the Acorn parser, es-module-lexer is a standalone lexer that can be used for tooling that needs to understand ES module syntax quickly and efficiently.
This module provides a plugin that can be used to extend the Acorn Parser class:
const {Parser} = require('acorn');
const {importAssertions} = require('acorn-import-assertions');
Parser.extend(importAssertions).parse('...');
This plugin is released under an MIT License.
FAQs
Support for import assertions in acorn
The npm package acorn-import-assertions receives a total of 7,302,942 weekly downloads. As such, acorn-import-assertions popularity was classified as popular.
We found that acorn-import-assertions demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket researchers found several malicious npm packages typosquatting Chalk and Chokidar, targeting Node.js developers with kill switches and data theft.
Security News
pnpm 10 blocks lifecycle scripts by default to improve security, addressing supply chain attack risks but sparking debate over compatibility and workflow changes.
Product
Socket now supports uv.lock files to ensure consistent, secure dependency resolution for Python projects and enhance supply chain security.