Research
Security News
Malicious npm Packages Inject SSH Backdoors via Typosquatted Libraries
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
babel-plugin-universal-import
Advanced tools
Babel plugin to transform import() into its Universal counterpart
yarn add babel-plugin-universal-import
.babelrc:
{
"presets": [whatever you usually have],
"plugins": ["universal-import"]
}
Taking from the test snapshots, it does this:
import universal from 'react-universal-component'
const UniversalComponent = universal(import('./Foo.js'))
<UniversalComponent />
↓ ↓ ↓ ↓ ↓ ↓
import universal from 'react-universal-component'
import universalImport from 'babel-plugin-universal-import/universalImport.js'
import importCss from 'babel-plugin-universal-import/importCss.js'
import path from 'path'
const UniversalComponent = universal(universalImport({
chunkName: () => 'Foo',
path: () => path.join(__dirname, './Foo.js'),
resolve: () => require.resolveWeak('./Foo.js'),
load: () => Promise.all([
import( /* webpackChunkName: 'Foo' */ './Foo.js'),
importCss('Foo')
])
}))
<UniversalComponent />
And if you're using dynamic imports:
import universal from 'react-universal-component'
const UniversalComponent = universal(props => import(`./${props.page}`))
<UniversalComponent page='Foo' />
↓ ↓ ↓ ↓ ↓ ↓
import universal from 'react-universal-component'
import universalImport from 'babel-plugin-universal-import/universalImport.js'
import importCss from 'babel-plugin-universal-import/importCss.js'
import path from 'path'
const UniversalComponent = universal(props => universalImport({
chunkName: props => props.page,
path: props => path.join(__dirname, `./${props.page}`),
resolve: props => require.resolveWeak(`./${props.page}`),
load: props => Promise.all([
import( /* webpackChunkName: '[request]' */ `./${props.page}`),
importCss(page)
])
}));
<UniversalComponent page='Foo' />
NOTE: if you aren't using
react-universal-component
and you just want to serve CSS chunks from extract-css-chunks-webpack-plugin, use babel-plugin-dual-import instead.
It names all your chunks using magic comments 🔮 behind the scenes and is derived from the imported file. This works with both static and dynamic import paths, as you can see above.
Otherwise, what it's doing is providing all the different types of requires/paths/imports/etc needed by tools like react-universal-component to universally render your component.
The targeted use-case for all this is dynamic imports where you can pass a page
prop to the resulting component, thereby allowing you to create one <UniversalComponent page={page} />
for a large number of your components. This is a major upgrade to the previous way of having to make a hash of a million async components in a wrapping component. You no longer have to think about Universal Components as anything different than your other components that use simple HoCs.
Perhaps the most powerful part however is that it also attempts to import a separate CSS file along with js chunks for optimum chunk sizes, caching and performance. Look in what Promise.all
does. To fulfill this mission you must be using extract-css-chunks-webpack-plugin to create multiple CSS chunks for dynamic imports.
And maybe even cooler to some: you don't have to do universal(() => import())
. I.e. you don't have to wrap it in a function any longer when using react-universal-component
, similar to dynamic(import())
in Next.js...unless of course you're making use of the extremely useful props
argument.
If your compiling the server with Babel, you may need to add this babel-plugin as well: babel-plugin-dynamic-import-webpack. And if you're using a version of Webpack before 2.2.0, you also must add it.
Lastly, to the discerning eye, you may be wondering if the return of import()
is still thenable?? It is! However, if you don't call .then
on it, somewhere (perhaps in the components like react-universal-component that you pass it to), then it won't perform the import. Since most of us are using modules, which we need to do something with in the then
callback, that's not a problem. But if you happen to be importing a module that does its own setup, such as attaches something to the window
object, well then you just need to call .then()
to trigger it. That's a rare case these days, which is why we decided to go with the simplicity seen here. And yes, async await works too.
We use commitizen, so run npm run cm
to make commits. A command-line form will appear, requiring you answer a few questions to automatically produce a nicely formatted commit. Releases, semantic version numbers, tags, changelogs and publishing to NPM will automatically be handled based on these commits thanks to semantic-release. Be good.
Reviewing a package's tests are a great way to get familiar with it. It's direct insight into the capabilities of the given package (if the tests are thorough). What's even better is a screenshot of the tests neatly organized and grouped (you know the whole "a picture says a thousand words" thing).
Below is a screenshot of this module's tests running in Wallaby ("An Integrated Continuous Testing Tool for JavaScript") which everyone in the React community should be using. It's fantastic and has taken my entire workflow to the next level. It re-runs your tests on every change along with comprehensive logging, bi-directional linking to your IDE, in-line code coverage indicators, and even snapshot comparisons + updates for Jest! I requestsed that feature by the way :). It's basically a substitute for live-coding that inspires you to test along your journey.
FAQs
Babel plugin to transform import() into its Universal counterpart
The npm package babel-plugin-universal-import receives a total of 20,986 weekly downloads. As such, babel-plugin-universal-import popularity was classified as popular.
We found that babel-plugin-universal-import demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 2 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
Security News
MITRE's 2024 CWE Top 25 highlights critical software vulnerabilities like XSS, SQL Injection, and CSRF, reflecting shifts due to a refined ranking methodology.
Security News
In this segment of the Risky Business podcast, Feross Aboukhadijeh and Patrick Gray discuss the challenges of tracking malware discovered in open source softare.