Research
Security News
Malicious npm Packages Inject SSH Backdoors via Typosquatted Libraries
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
![bulmil](https://user-images.githubusercontent.com/2362138/65766959-c721a080-e16f-11e9-9fb9-45a5a2ad0391.jpg)
Bulmil is an agnostic UI library based on Web Components, made with Bulma.io & Stencil.js.
Bulmil was created as a proof of concept to introduce an easy way to consume common reusable web components for use with various modern application frameworks (Angular, Vue, React, Ember) or simply with pure Javascript.
:warning: Currently in Alpha, beta will be available once these two issues are resolved:
Stencil is a compiler for building fast web apps using Web Components.
Stencil combines the best concepts of the most popular frontend frameworks into a compile-time rather than run-time tool. Stencil takes TypeScript, JSX, a tiny virtual DOM layer, efficient one-way data binding, an asynchronous rendering pipeline (similar to React Fiber), and lazy-loading out of the box, and generates 100% standards-based Web Components that run in any browser supporting the Custom Elements v1 spec.
Stencil components are just Web Components, so they work in any major framework or with no framework at all.
# Using npm
npm i bulmil
# Using yarn
yarn add bulmil
Stencil's primary goal is to remove the need for components to be written using a specific framework's API. It accomplishes this by using standardized web platform APIs that work across all modern browsers. Using the low-level component model that is provided by the browser (which all frameworks are built on) allows Stencil components to work inside of a framework or without one.
Stencil's integration with different frameworks is currently a work in progress. As Stencil matures, the goal is to make it easy to write standard web components which will compile to various output targets. This allows developers to stay aligned with the latest web standards while using a common API. The generated components will also be more future-proof as frameworks continue to change.
The following list contains the framework integrations that have been started. All of them are not yet completed.
Integrating a component built with Stencil to a project without a JavaScript framework is straight forward. If you're using a simple HTML page, you can add your component via a script tag. For example, if we published a component to npm, we could load the component through unpkg like this:
<!DOCTYPE html>
<html lang="en">
<head>
<script src="https://unpkg.com/bulmil/latest/dist/bulmil.js"></script>
</head>
<body>
<bm-button>Button</bm-button>
</body>
</html>
Alternatively, if you wanted to take advantage of ES Modules, you could include the components using an import statement. Note that in this scenario applyPolyfills
is needed if you are targeting Edge or IE11.
<!DOCTYPE html>
<html lang="en">
<head>
<script type="module">
import {
applyPolyfills,
defineCustomElements,
} from 'https://unpkg.com/bulmil/latest/dist/esm/es2017/bulmil.define.js';
applyPolyfills().then(() => {
defineCustomElements(window);
});
</script>
</head>
<body>
<bm-button>Button</bm-button>
</body>
</html>
With an application built using the create-react-app
script the easiest way to include the component library is to call defineCustomElements(window)
from the index.js
file.
Note that in this scenario applyPolyfills
is needed if you are targeting Edge or IE11.
import React from 'react';
import ReactDOM from 'react-dom';
import './index.css';
import App from './App';
import registerServiceWorker from './registerServiceWorker';
import { applyPolyfills, defineCustomElements } from 'bulmil/dist/loader';
ReactDOM.render(<App />, document.getElementById('root'));
registerServiceWorker();
applyPolyfills().then(() => {
defineCustomElements(window);
});
Following the steps above will enable your web components to be used in React, however there are some additional complexities that must also be considered. https://custom-elements-everywhere.com/ describes them well.
In order to use the custom element library within the Vue app, the application must be modified to define the custom elements and to inform the Vue compiler which elements to ignore during compilation. This can all be done within the main.js
file.
Assuming you’ve run npm install --save bulmil
beforehand, and that bulmil
is the name of our made up Web Components that we have published to npm, you import the components into the 'main.js' file by
https://vuejs.org/v2/api/#ignoredElements
)import Vue from 'vue';
import App from './App.vue';
import { applyPolyfills, defineCustomElements } from 'bulmil/dist/loader';
Vue.config.productionTip = false;
// Tell Vue to ignore all components defined in the bulmil package.
//T he regex assumes all components names are prefixed with 'bm-'
Vue.config.ignoredElements = [/bm-\w*/];
// Bind the custom elements to the window object
applyPolyfills().then(() => {
defineCustomElements(window);
});
new Vue({
render: h => h(App),
}).$mount('#app');
Create a plugin, (e.g bulmil.ts):
import Vue from 'vue';
import { applyPolyfills, defineCustomElements } from 'bulmil/dist/loader';
Vue.config.productionTip = false;
Vue.config.ignoredElements = [/bm-\w*/];
// Bind the custom elements to the window object
applyPolyfills().then(() => {
defineCustomElements(window);
});
// nuxt.config.ts
{
plugins: [
{ src: '~/plugins/bulmil.ts', mode: 'client' },
],
}
The components should then be available in any of the Vue components
render() {
return (
<div>
<bm-button>Button</bm-button>
</div>
)
}
Vue provides several different ways to install and use the framework in an application. The above technique for integrating a Stencil custom element library has been tested on a Vue application that was created using the vue-cli
with ES2015 and WebPack as primary options. A similar technique should work if the application was generated using other options.
Using a Stencil built web component collection within an Angular CLI project is a two-step process. We need to:
CUSTOM_ELEMENTS_SCHEMA
in the modules that use the components.defineCustomElements(window)
from main.ts
(or some other appropriate place).Including the CUSTOM_ELEMENTS_SCHEMA
in the module allows the use of the web components in the HTML markup without the compiler producing errors this code should be added into the AppModule
and in every other modules that use your custom elements.
Here is an example of adding it to AppModule
:
import { BrowserModule } from '@angular/platform-browser';
import { CUSTOM_ELEMENTS_SCHEMA, NgModule } from '@angular/core';
import { FormsModule } from '@angular/forms';
import { AppComponent } from './app.component';
@NgModule({
declarations: [AppComponent],
imports: [BrowserModule, FormsModule],
bootstrap: [AppComponent],
schemas: [CUSTOM_ELEMENTS_SCHEMA],
})
export class AppModule {}
The CUSTOM_ELEMENTS_SCHEMA
needs to be included in any module that uses custom elements.
A component collection built with Stencil includes a main function that is used to load the components in the collection. That function is called defineCustomElements()
and it needs to be called once during the bootstrapping of your application. One convenient place to do this is in main.ts
as such:
import { enableProdMode } from '@angular/core';
import { platformBrowserDynamic } from '@angular/platform-browser-dynamic';
import { AppModule } from './app/app.module';
import { environment } from './environments/environment';
// Note: loader import location set using "esmLoaderPath" within the output target confg
import { defineCustomElements } from 'bulmil/dist/loader';
if (environment.production) {
enableProdMode();
}
platformBrowserDynamic()
.bootstrapModule(AppModule)
.catch(err => console.log(err));
defineCustomElements(window);
If you want your custom elements to be able to work on older browser, you should add the applyPolyfills()
that surrond the defineCustomElements()
function.
import { applyPolyfills, defineCustomElements } from 'bulmil/dist/loader';
...
applyPolyfills().then(() => {
defineCustomElements(window)
})
Once included, components could be referenced in your code using ViewChild
and ViewChildren
as in the following example:
import { Component, ElementRef, ViewChild } from '@angular/core';
import 'bulmil/dist';
@Component({
selector: 'app-home',
template: `
<bm-button #button></bm-button>
`,
styleUrls: ['./home.component.scss'],
})
export class HomeComponent {
@ViewChild('button') buttonComponent: ElementRef<HTMLBulmilComponentElement>;
async onAction() {
await this.buttonComponent.nativeElement.componentMethod();
}
}
Working with Stencil components in Ember is really easy thanks to the ember-cli-stencil
addon. It handles:
vendor.js
assets
directoryStart off by installing the Ember addon
ember install ember-cli-stencil
Now, when you build your application, Stencil collections in your dependencies will automatically be discovered and pulled into your application. You can just start using the custom elements in your hbs
files with no further work needed. For more information, check out the ember-cli-stencil
documentation.
yarn install
or npm install
yarn storybook
or npm run storybook
FAQs
![bulmil](https://user-images.githubusercontent.com/2362138/65766959-c721a080-e16f-11e9-9fb9-45a5a2ad0391.jpg)
The npm package bulmil receives a total of 215 weekly downloads. As such, bulmil popularity was classified as not popular.
We found that bulmil demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
Security News
MITRE's 2024 CWE Top 25 highlights critical software vulnerabilities like XSS, SQL Injection, and CSRF, reflecting shifts due to a refined ranking methodology.
Security News
In this segment of the Risky Business podcast, Feross Aboukhadijeh and Patrick Gray discuss the challenges of tracking malware discovered in open source softare.