Research
Security News
Quasar RAT Disguised as an npm Package for Detecting Vulnerabilities in Ethereum Smart Contracts
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
Ark allows you package up your browser Javascript using the Node module system. You can use require
just like in Node. Put another way, you can reuse server-side code in the browser and still use require
and NPM.
To browserify, which was the original inspiration for Ark, and from which I took some code, such as the HTTP implementation.
The obvious question is: how is Ark different than browserify?
Ark is more CoffeeScript-friendly. You don't need to add a transform or plugin to bundle CoffeeScript into your Ark. Also, most of Ark is actually implemented in CoffeeScript in case you want to fork or submit patches.
Ark uses a CSON manifest file with glob expansion to decide what to package up. You can easily see what's include with the list
command (or, programmatically, with the list
method).
Ark does not use the package.json
browser
field, or any other specification for generating your bundled JavaScript. Everything you need to know is in the manifest.
Ark allows you to include any arbitrary files into your ark. You can then use the node fs
API to read them. For example, we often bundle a configuration file that tells us where to find various backend resources.
Ark is just simpler, both in terms of usage and implementation.
npm install -g ark
Create an ark
directory in your source tree. Put stuff in that directory that you want to ship to the browser. In Ark parlance, that stuff is called "the ark."
Add in a package.json
file to set the entry point for your ark (using the main
property).
Create a ark.cson
file with the list of files and emulated Node APIs you want to bundled in your ark.
Package up your ark: ark package -p <ark-directory> -o <path-to-javascript>
The manifest file might look like this:
include: [
"**/*.coffee"
"package.json"
]
apis: [ "assert", "child_process", "crypto", "events", "fs", "http",
"https", "module", "path", "querystring", "stream", "sys", "tty",
"url", "util" ]
That's it. There's never any question about which files or APIs are included, because you control it via the manifest.
You can also exclude files. For example, if you want to make sure that no files within test directories are committed, you might do something like this:
include: [
"**/*.coffee"
"package.json"
]
exclude: [
"**/test/**"
"**/spec/**"
]
apis: [ "assert", "child_process", "crypto", "events", "fs", "http",
"https", "module", "path", "querystring", "stream", "sys", "tty",
"url", "util" ]
If you use glob expansion, you might want to see exactly what the result of the expansion is -- you can do this by using the list command:
ark ls -p <manifest>
See the man page for more, or just type ark help
.
You can also use Ark programmatically. It's pretty simple:
Ark = require "ark"
ark = new Ark
path: "."
manifest:
include: [ "**/*.coffee", "package.json" ]
exclude: [ "**/test/**", "**/spec/**" ]
apis: [ "assert", "child_process", "crypto", "events", "fs", "http",
"https", "module", "path", "querystring", "stream", "sys", "tty",
"url", "util" ]
ark.package()
Other options include:
Example Suppose you want to compile Jade templates when you bundle your JavaScript so that they can simply be require
d. You might write an Ark compiler like this:
compileJade = do ->
jade = require "jade"
options =
client: true
compileDebug: false
(template) -> jade.compile template, options
ark = new Ark
path: "."
compilers: jade: compileJade
manifest:
include: [ "**/*.coffee", "package.json" ]
exclude: [ "**/test/**", "**/spec/**" ]
apis: [ "assert", "child_process", "crypto", "events", "fs", "http",
"https", "module", "path", "querystring", "stream", "sys", "tty",
"url", "util" ]
list
FunctionYou can also generate the full manifest, after glob expansion, with list
, which returns an array of relative paths.
New in 0.5.0 is the ability to use Ark as connect/express-style middleware so that you don't need a build step while developing. You can run it like this:
Ark = require "ark"
connect = require "connect"
app = connect()
app.use connect.static("public")
app.use Ark.middleware("my-ark-directory")
The Ark middleware keeps a "live" copy of the Ark in memory and only updates files that have changed.
We've temporarily removed support for minification and beautification, as well as mtime
checks for the command-line tool. We expect to add these back soon.
We also plan to add auto-generation of source maps and more sophistication to the middleware (for example, keeping the generated JavaScript cached so that it can just be returned directly if nothing has changed).
Ark is under active development and is still alpha-status. Please use with caution.
FAQs
Packages code for the browser as Node modules.
We found that ark demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 3 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
Security News
Research
A supply chain attack on Rspack's npm packages injected cryptomining malware, potentially impacting thousands of developers.
Research
Security News
Socket researchers discovered a malware campaign on npm delivering the Skuld infostealer via typosquatted packages, exposing sensitive data.