Research
Security News
Quasar RAT Disguised as an npm Package for Detecting Vulnerabilities in Ethereum Smart Contracts
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
The fast, future-friendly minifier
Warning: this is alpha software. Test thoroughly before using in production! Consider using the check option. Please report any bugs you find!
Modern browsers support the newest version of JavaScript (ES2015+, aka ES6), and many JavaScript developers are already using ES2015 features in their code. Unfortunately, the most popular minifier — UglifyJS — doesn't officially support ES2015. That means we have to compile our code to ES5 (e.g. using Babel or Bublé) in order to ship it, even if we're not supporting older browsers.
There are alternatives to Uglify — Babili and Closure Compiler. But both tools are much slower than Uglify, and generate larger output (in Closure's case you can achieve greater compression using the advanced compilation mode, but this requires you to write your code in a particular way and is therefore not a general solution).
Butternut is fully ES2015+ aware, delivers superior compression to Babili or Closure, and is typically around 4x faster than Uglify (or 10-15x faster than Babili). It doesn't yet compress ES5 as well as Uglify, but an ES2015 codebase minified with Butternut is often smaller than the same codebase transpiled prior to minification with Uglify.
The easiest way to use Butternut is to plug it into your existing build process:
Alternatively, you can use it directly via the CLI or the JavaScript API:
Install Butternut globally, then use the squash
command:
npm install --global butternut # or npm i -g butternut
squash app.js > app.min.js
Run squash --help
to see the available options.
Install Butternut to your project...
npm install --save-dev butternut # or npm i -D butternut
...then use it like so:
const butternut = require('butternut');
const { code, map } = butternut(source, options);
The options
argument, if supplied, is an object that can have the following properties:
sourceMap
— set to false
if you don't want to generate a sourcemap. Defaults to true
file
— the destination filename, used in sourcemap generationsource
— the source filename, used in sourcemap generationincludeContent
— whether to include the original source in the sourcemap. Defaults to true
check
— see belowcheck
optionSince Butternut is a new project, it hasn't yet been battle-tested. It may generate code that you don't expect. If you pass check: true
(or use the --check
flag, if using the CLI), Butternut will parse the generated output to verify that it is valid JavaScript. If not, it means it's messed something up, in which case it will try to help you find the code that it failed to minify correctly.
If you find bugs while using Butternut, please raise an issue!
0.3.0
check
optionFAQs
Experimental ES2015-aware minifier
The npm package butternut receives a total of 8,115 weekly downloads. As such, butternut popularity was classified as popular.
We found that butternut demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
Security News
Research
A supply chain attack on Rspack's npm packages injected cryptomining malware, potentially impacting thousands of developers.
Research
Security News
Socket researchers discovered a malware campaign on npm delivering the Skuld infostealer via typosquatted packages, exposing sensitive data.