Research
Security News
Threat Actor Exposes Playbook for Exploiting npm to Build Blockchain-Powered Botnets
A threat actor's playbook for exploiting the npm ecosystem was exposed on the dark web, detailing how to build a blockchain-powered botnet.
The canvas npm package is a powerful library that allows Node.js users to draw 2D graphics on the fly using a Canvas API similar to the one provided by browsers. It can be used for creating images, manipulating graphics, and generating dynamic visual content.
Drawing shapes
This feature allows you to draw basic shapes such as rectangles, circles, and lines on the canvas.
const { createCanvas } = require('canvas');
const canvas = createCanvas(200, 200);
const ctx = canvas.getContext('2d');
// Draw a rectangle
ctx.fillStyle = 'green';
ctx.fillRect(10, 10, 150, 100);
Text manipulation
With the canvas package, you can add text to your images, apply fonts, styles, and rotation.
const { createCanvas } = require('canvas');
const canvas = createCanvas(200, 200);
const ctx = canvas.getContext('2d');
// Draw text
ctx.font = '30px Impact';
ctx.rotate(0.1);
ctx.fillText('Awesome!', 50, 100);
Image manipulation
This feature allows you to load images, draw them onto the canvas, and manipulate their appearance.
const { createCanvas, loadImage } = require('canvas');
const canvas = createCanvas(200, 200);
const ctx = canvas.getContext('2d');
loadImage('image.png').then((image) => {
ctx.drawImage(image, 50, 50, 150, 100);
});
Pixel manipulation
Canvas allows direct pixel manipulation for effects like inversion, brightness, contrast, and more.
const { createCanvas } = require('canvas');
const canvas = createCanvas(200, 200);
const ctx = canvas.getContext('2d');
// Draw a rectangle
ctx.fillStyle = 'red';
ctx.fillRect(0, 0, 50, 50);
// Get pixel data
const imageData = ctx.getImageData(0, 0, 50, 50);
// Manipulate pixels
for (let i = 0; i < imageData.data.length; i += 4) {
imageData.data[i] = 255 - imageData.data[i]; // Invert red
imageData.data[i+1] = 255 - imageData.data[i+1]; // Invert green
imageData.data[i+2] = 255 - imageData.data[i+2]; // Invert blue
}
// Put the image data back onto the canvas
ctx.putImageData(imageData, 0, 0);
Fabric.js is a powerful and rich graphics library, similar to canvas, but it runs in the browser. It provides interactive object model on top of canvas element and also has SVG-to-canvas (and canvas-to-SVG) parser.
Konva.js is an HTML5 2D canvas library for desktop and mobile applications. It extends the 2D context by enabling canvas interactivity and much more. It is similar to canvas but with additional features like event handling, layering, filtering, caching, and animations.
PixiJS is a 2D webGL renderer with a seamless canvas fallback that can be used to create rich interactive graphics, cross-platform applications, and games. Unlike canvas, PixiJS is focused on webGL and provides a faster rendering for complex scenes.
p5.js is a client-side library that enables creative coding with a focus on making coding accessible for artists, designers, educators, and beginners. It is similar to canvas but emphasizes an easy-to-use API and includes a full set of drawing functionality.
node-canvas is a Cairo backed Canvas implementation for NodeJS.
$ npm install canvas
Unless previously installed you'll need Cairo. For system-specific installation view the Wiki.
You can quickly install the dependencies by using the command for your OS:
OS | Command |
---|---|
OS X | brew install pkg-config cairo libpng jpeg giflib |
Ubuntu | sudo apt-get install libcairo2-dev libjpeg8-dev libpango1.0-dev libgif-dev build-essential g++ |
Fedora | sudo yum install cairo cairo-devel cairomm-devel libjpeg-turbo-devel pango pango-devel pangomm pangomm-devel giflib-devel |
Solaris | pkgin install cairo pkg-config xproto renderproto kbproto xextproto |
Windows | Instructions on our wiki |
El Capitan users: If you have recently updated to El Capitan and are experiencing trouble when compiling, run the following command: xcode-select --install
. Read more about the problem on Stack Overflow.
var Canvas = require('canvas')
, Image = Canvas.Image
, canvas = new Canvas(200, 200)
, ctx = canvas.getContext('2d');
ctx.font = '30px Impact';
ctx.rotate(.1);
ctx.fillText("Awesome!", 50, 100);
var te = ctx.measureText('Awesome!');
ctx.strokeStyle = 'rgba(0,0,0,0.5)';
ctx.beginPath();
ctx.lineTo(50, 102);
ctx.lineTo(50 + te.width, 102);
ctx.stroke();
console.log('<img src="' + canvas.toDataURL() + '" />');
node-canvas extends the canvas API to provide interfacing with node, for example streaming PNG data, converting to a Buffer
instance, etc. Among the interfacing API, in some cases the drawing API has been extended for SSJS image manipulation / creation usage, however keep in mind these additions may fail to render properly within browsers.
node-canvas adds Image#src=Buffer
support, allowing you to read images from disc, redis, etc and apply them via ctx.drawImage()
. Below we draw scaled down squid png by reading it from the disk with node's I/O.
fs.readFile(__dirname + '/images/squid.png', function(err, squid){
if (err) throw err;
img = new Image;
img.src = squid;
ctx.drawImage(img, 0, 0, img.width / 4, img.height / 4);
});
Below is an example of a canvas drawing it-self as the source several time:
var img = new Image;
img.src = canvas.toBuffer();
ctx.drawImage(img, 0, 0, 50, 50);
ctx.drawImage(img, 50, 0, 50, 50);
ctx.drawImage(img, 100, 0, 50, 50);
node-canvas adds Image#dataMode
support, which can be used to opt-in to mime data tracking of images (currently only JPEGs).
When mime data is tracked, in PDF mode JPEGs can be embedded directly into the output, rather than being re-encoded into PNG. This can drastically reduce filesize, and speed up rendering.
var img = new Image;
img.dataMode = Image.MODE_IMAGE; // Only image data tracked
img.dataMode = Image.MODE_MIME; // Only mime data tracked
img.dataMode = Image.MODE_MIME | Image.MODE_IMAGE; // Both are tracked
If image data is not tracked, and the Image is drawn to an image rather than a PDF canvas, the output will be junk. Enabling mime data tracking has no benefits (only a slow down) unless you are generating a PDF.
To create a PNGStream
simply call canvas.pngStream()
, and the stream will start to emit data events, finally emitting end when finished. If an exception occurs the error event is emitted.
var fs = require('fs')
, out = fs.createWriteStream(__dirname + '/text.png')
, stream = canvas.pngStream();
stream.on('data', function(chunk){
out.write(chunk);
});
stream.on('end', function(){
console.log('saved png');
});
Currently only sync streaming is supported, however we plan on supporting async streaming as well (of course :) ). Until then the Canvas#toBuffer(callback)
alternative is async utilizing eio_custom()
.
You can likewise create a JPEGStream
by calling canvas.jpegStream()
with
some optional parameters; functionality is otherwise identical to
pngStream()
. See examples/crop.js
for an example.
Note: At the moment, jpegStream()
is the same as syncJPEGStream()
, both
are synchronous
var stream = canvas.jpegStream({
bufsize: 4096 // output buffer size in bytes, default: 4096
, quality: 75 // JPEG quality (0-100) default: 75
, progressive: false // true for progressive compression, default: false
});
A call to Canvas#toBuffer()
will return a node Buffer
instance containing all of the PNG data.
canvas.toBuffer();
Optionally we may pass a callback function to Canvas#toBuffer()
, and this process will be performed asynchronously, and will callback(err, buf)
.
canvas.toBuffer(function(err, buf){
});
The following syntax patterns are supported:
var dataUrl = canvas.toDataURL(); // defaults to PNG
var dataUrl = canvas.toDataURL('image/png');
canvas.toDataURL(function(err, png){ }); // defaults to PNG
canvas.toDataURL('image/png', function(err, png){ });
canvas.toDataURL('image/jpeg', function(err, jpeg){ }); // sync JPEG is not supported
canvas.toDataURL('image/jpeg', {opts...}, function(err, jpeg){ }); // see Canvas#jpegStream for valid options
canvas.toDataURL('image/jpeg', quality, function(err, jpeg){ }); // spec-following; quality from 0 to 1
Given one of the values below will alter pattern (gradients, images, etc) render quality, defaults to good.
Can be either path
or glyph
. Using glyph
is much faster than path
for drawing, and when using a PDF context will embed the text natively, so will be selectable and lower filesize. The downside is that cairo does not have any subpixel precision for glyph
, so this will be noticeably lower quality for text positioning in cases such as rotated text. Also, strokeText in glyph
will act the same as fillText, except using the stroke style for the fill.
Defaults to path.
This property is tracked as part of the canvas state in save/restore.
Like patternQuality
, but applies to transformations effecting more than just patterns. Defaults to good.
In addition to those specified and commonly implemented by browsers, the following have been added:
Set anti-aliasing mode
For example:
ctx.antialias = 'none';
Basic PDF support was added in 0.11.0. Make sure to install cairo with --enable-pdf=yes
for the PDF backend. node-canvas must know that it is creating
a PDF on initialization, using the "pdf" string:
var canvas = new Canvas(200, 500, 'pdf');
An additional method .addPage()
is then available to create
multiple page PDFs:
ctx.font = '22px Helvetica';
ctx.fillText('Hello World', 50, 80);
ctx.addPage();
ctx.font = '22px Helvetica';
ctx.fillText('Hello World 2', 50, 80);
ctx.addPage();
ctx.font = '22px Helvetica';
ctx.fillText('Hello World 3', 50, 80);
ctx.addPage();
Just like PDF support, make sure to install cairo with --enable-svg=yes
.
You also need to tell node-canvas that it is working on SVG upon its initialization:
var canvas = new Canvas(200, 500, 'svg');
// Use the normal primitives.
fs.writeFile('out.svg', canvas.toBuffer());
Although node-canvas is extremely new, and we have not even begun optimization yet it is already quite fast. For benchmarks vs other node canvas implementations view this gist, or update the submodules and run $ make benchmark
yourself.
Want to contribute to node-canvas? patches for features, bug fixes, documentation, examples and others are certainly welcome. Take a look at the issue queue for existing issues.
Examples are placed in ./examples, be sure to check them out! most produce a png image of the same name, and others such as live-clock.js launch an http server to be viewed in the browser.
If you have not previously, init git submodules:
$ git submodule update --init
Install the node modules:
$ npm install
Build node-canvas:
$ node-gyp rebuild
Unit tests:
$ make test
Visual tests:
$ make test-server
Tested with and designed for:
For node 0.2.x node-canvas
<= 0.4.3 may be used,
0.5.0 and above are designed for node 0.4.x only.
(The MIT License)
Copyright (c) 2010 LearnBoost, and contributors <dev@learnboost.com>
Copyright (c) 2014 Automattic, Inc and contributors <dev@automattic.com>
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the 'Software'), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED 'AS IS', WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
FAQs
Canvas graphics API backed by Cairo
The npm package canvas receives a total of 2,357,927 weekly downloads. As such, canvas popularity was classified as popular.
We found that canvas demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 8 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
A threat actor's playbook for exploiting the npm ecosystem was exposed on the dark web, detailing how to build a blockchain-powered botnet.
Security News
NVD’s backlog surpasses 20,000 CVEs as analysis slows and NIST announces new system updates to address ongoing delays.
Security News
Research
A malicious npm package disguised as a WhatsApp client is exploiting authentication flows with a remote kill switch to exfiltrate data and destroy files.