Research
Security News
Kill Switch Hidden in npm Packages Typosquatting Chalk and Chokidar
Socket researchers found several malicious npm packages typosquatting Chalk and Chokidar, targeting Node.js developers with kill switches and data theft.
check-side-effects
Advanced tools
You can use this package to see if importing a given ES module has side effects, and where they come from.
Minimizers (UglifyJS, Terser, etc) used together with bundlers (Webpack, Rollup, etc) are able to drastically reduce the size of code bundles by removing unused code. This is desirable because less code means faster startup time on both Node and Browser platforms.
But sometimes these tools cannot know if a certain piece of code is actually unused, and safe to be removed. The most common case is imported code with side effects.
Side effects in the context of importing ES modules means code that runs, and has some sort of side effect, when importing a module.
An obvious example of a side effect is top level function calls, like logging.
If you have console.log('something')
on the top level of a module, that code will be retained.
Similarly, if you call myFunction()
on the top level and static analysis cannot determine that
call to have no effect, the code will be retained.
A more subtle side effect is property access, like const obj = {}; obj.prop;
.
obj
isn't really used, and it's not even exported.
But because something might be happening on the property getter, it's retained in the final bundle.
It's incommon to have size effects on getters and for that reason some tools offer a configuration option to assume property getters have no side effects.
These examples are trivial but on complex pieces of software you will likely find non-trivial variations of the same theme.
And since code is highly interconnected, it's easy to have a lot of code retained by only a few unexpected side effects.
In an ideal scenario, importing a library but not using it means no code is retained from that library. But more often than not, importing a library has side effects that can't be removed at all.
This tool was created to help identify what code is leftover from importing an unused library by trying to eliminate as much code from it as possible.
It implements that idea by following these steps:
First install this either globally or locally from npm
.
npm install --global check-side-effects
Running this tool with a path will print out to the console the remaining code with side effects. You can list multiple paths one after the other too.
check-side-effects ./path/to/library/module.js
check-side-effects ./path/to/library/module.js ./path/to/another-library/module.js
Please note that this tool is meant to check individual ES modules. Passing in a library name won't work. You have to give a relative path to a .js file containing with ES module code.
You can also pass the --output
argument to output to a file instead.
Doing this will also output sourcemaps, which you can use to trace where the code came from.
check-side-effects ./path/to/library/module.js --output side-effects.js
http://sokra.github.io/source-map-visualization/ is a great way to visualize source map locations.
Below is a list of all available CLI options:
--help Show the help message.
--cwd Override working directory to run the process in.
--output Output the bundle to this path. Useful to trace the sourcemaps.
--pure-getters Assume there are no side effects from getters. [Default: true]
--resolve-externals Resolve external dependencies. [Default: false]
--use-build-optimizer Run Build Optimizer over all modules. [Default: true]
--print-dependencies Print all the module dependencies. [Default: false]
--warnings Show all warnings. [Default: false]
You can also use this tool via the JavaScript API.
This API provides you with more options than the CLI usage.
import { checkSideEffects } from './checker';
const opts = {
cwd = process.cwd(),
esModules = ['./path/to/library/module.js'],
outputFilePath = undefined,
pureGetters = true,
globalDefs = {},
sideEffectFreeModules = [''], // empty string assumes all modules are side effect free.
resolveExternals = false,
printDependencies = false,
useBuildOptimizer = true,
warnings = false,
};
const result = await checkSideEffects(opts);
FAQs
Check if a ES module has side effects.
The npm package check-side-effects receives a total of 2,281 weekly downloads. As such, check-side-effects popularity was classified as popular.
We found that check-side-effects demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket researchers found several malicious npm packages typosquatting Chalk and Chokidar, targeting Node.js developers with kill switches and data theft.
Security News
pnpm 10 blocks lifecycle scripts by default to improve security, addressing supply chain attack risks but sparking debate over compatibility and workflow changes.
Product
Socket now supports uv.lock files to ensure consistent, secure dependency resolution for Python projects and enhance supply chain security.