Research
Security News
Quasar RAT Disguised as an npm Package for Detecting Vulnerabilities in Ethereum Smart Contracts
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
The fast, future-friendly minifier. Try before you buy at butternut.now.sh
Warning: this is alpha software. Test thoroughly before using in production! Consider using the check option. Please report any bugs you find!
Butternut is significantly faster than other JavaScript minifiers, and works with the latest version of JavaScript (ES2015, aka ES6, and beyond). It's typically around 3x faster than UglifyJS with default minify options, and 10-15x faster than Babili.
The compression is better than Babili and closure-compiler-js (in standard compilation mode — you can get better results with Closure in advanced mode, but only by writing your code in a very particular way). It's almost as good as Uglify in its current version.
You can test out the different tools with npm run bench
.
Note: UglifyJS supports ES2015+ as of very recently — see uglify-es.
The traditional approach to minification is this: parse your source code into an abstract syntax tree (AST) using something like Acorn, manipulate the AST, and finally generate code from it.
Butternut takes a different approach. It uses Acorn to generate an AST, but instead of steps 2 and 3 it then edits the code in place using magic-string — which is much less costly than AST manipulation and code generation.
The easiest way to use Butternut is to plug it into your existing build process:
Alternatively, you can use it directly via the CLI or the JavaScript API:
Install Butternut globally, then use the squash
command:
npm install --global butternut # or npm i -g butternut
squash app.js > app.min.js
Run squash --help
to see the available options.
Install Butternut to your project...
npm install --save-dev butternut # or npm i -D butternut
...then use it like so:
const butternut = require('butternut');
const { code, map } = butternut.squash(source, options);
The options
argument, if supplied, is an object that can have the following properties:
Option | CLI equivalent | Default value | Description |
---|---|---|---|
check | --check | false | Parse output. See below |
allowDangerousEval | n/a | false | Whether to allow direct eval calls |
sourceMap | -m, --sourcemap | true | Whether to create a sourcemap. Set to inline to append to the output (not recommended) |
file | n/a (automatic) | null | The output filename, used in sourcemap generation |
source | n/a (automatic) | null | The source filename, used in sourcemap generation |
includeContent | n/a | true | Whether to include the source file in the sourcesContent property of the generated sourcemap |
check
optionSince Butternut is a new project, it hasn't yet been battle-tested. It may generate code that you don't expect. If you pass check: true
(or use the --check
flag, if using the CLI), Butternut will parse the generated output to verify that it is valid JavaScript. If not, it means it's messed something up, in which case it will try to help you find the code that it failed to minify correctly.
If you find bugs while using Butternut, please raise an issue!
0.4.5
Infinity
as 1/0
(#99)FAQs
Experimental ES2015-aware minifier
The npm package butternut receives a total of 8,115 weekly downloads. As such, butternut popularity was classified as popular.
We found that butternut demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
Security News
Research
A supply chain attack on Rspack's npm packages injected cryptomining malware, potentially impacting thousands of developers.
Research
Security News
Socket researchers discovered a malware campaign on npm delivering the Skuld infostealer via typosquatted packages, exposing sensitive data.