Research
2025 Report: Destructive Malware in Open Source Packages
Destructive malware is rising across open source registries, using delays and kill switches to wipe code, break builds, and disrupt CI/CD.
By Kush Pandya - Dec 24, 2025
Chiffon
A small ECMAScript parser, tokenizer and minifier written in JavaScript.
Features
- Supports for ECMAScript 6
- Supports for Abstract Syntax Tree (JavaScript AST)
Installation
In Browser:
<script src="chiffon.js"></script>
or
<script src="chiffon.min.js"></script>
Object Chiffon will defined in the global scope.
In Node.js:
npm install chiffon
var Chiffon = require('chiffon');
bower:
bower install chiffon
Parse
Parse a string source.
The result will be an abstract syntax tree (JavaScript AST) object.
(JavaScript AST is specified by the ESTree spec.)
- {Object} Chiffon.parse ( source [, options ] )
@param {string} source Target source.
@param {Object} [options] Parse options.
@return {Object} Return an abstract syntax tree object.
Example:
var ast = Chiffon.parse('1 + 1');
console.log(ast);
/*
{
"type": "Program",
"body": [
{
"type": "ExpressionStatement",
"expression": {
"type": "BinaryExpression",
"operator": "+",
"left": {
"type": "Literal",
"value": 1,
"raw": "1"
},
"right": {
"type": "Literal",
"value": 1,
"raw": "1"
}
}
}
]
}
*/
Parse Options
-
range : {boolean} default=false
Include an index-based location range. (array) -
loc : {boolean} default=false
Include line number and column-based location info.
Full options are following.
var options = {
range: Boolean,
loc: Boolean
};
Tokenize
Tokenize a string source.
- {Array} Chiffon.tokenize ( source [, options ] )
@param {string} source Target source.
@param {Object} [options] Tokenize options.
@return {Array} Return an array of the parsed tokens.
var tokens = Chiffon.tokenize('var a = 1');
console.log(tokens);
/*
[ { type: 'Keyword', value: 'var' },
{ type: 'Identifier', value: 'a' },
{ type: 'Punctuator', value: '=' },
{ type: 'Numeric', value: '1' } ]
*/
Defined token type
- Comment
- WhiteSpace
- LineTerminator
- Template
- String
- Punctuator
- RegularExpression
- Numeric
- Identifier
- Null
- Boolean
- Keyword
Tokenize Options
-
comment : {boolean} default=false
Keep comment tokens. -
whiteSpace : {boolean} default=false
Keep white space tokens. -
lineTerminator : {boolean} default=false
Keep line terminator tokens. -
range : {boolean} default=false
Include an index-based location range. (array) -
loc : {boolean} default=false
Include line number and column-based location info.
Full options are following.
var options = {
comment: Boolean,
whiteSpace: Boolean,
lineTerminator: Boolean,
range: Boolean,
loc: Boolean
};
Untokenize
Concatenate to string from the parsed tokens.
- {string} Chiffon.untokenize ( tokens )
@param {Array} tokens An array of the parsed tokens.
@param {Object} [options] Untokenize options.
@return {string} Return a concatenated string.
Untokenize Options
- unsafe : {boolean} (default=false)
Untokenizer does not add a space between the identifier and identifier.
Tokens can return to the original string by using the untokenize with these options.
var source = 'var a = 1, b = 2; // comment';
var tokens = Chiffon.tokenize(source, {
comment: true,
whiteSpace: true,
lineTerminator: true
});
var result = Chiffon.untokenize(tokens, { unsafe: true });
console.log(result === source); // true
Minify
Minify JavaScript source.
- {string} Chiffon.minify ( source )
@param {string} source Target source.
@param {Object} [options] minify options.
@return {string} Return a minified source.
var min = Chiffon.minify('var a = 1 + 1; // comment');
console.log(min); // 'var a=1+1;'
Minify Options
- maxLineLen : {number} default=32000
Limit the line length in symbols.
Demo
License
MIT
FAQs
A small ECMAScript parser, tokenizer and minifier written in JavaScript.
The npm package chiffon receives a total of 40 weekly downloads. As such, chiffon popularity was classified as not popular.
We found that chiffon demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Package last updated on 17 Apr 2016
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Related posts
Security News
Engineering with AI Podcast: The Promise of AI-First Development
Socket CTO Ahmad Nassri shares practical AI coding techniques, tools, and team workflows, plus what still feels noisy and why shipping remains human-led.
By Sarah Gooding - Dec 24, 2025
Research
/Security News
Spearphishing Campaign Abuses npm Registry to Target U.S. and Allied Manufacturing and Healthcare Organizations
A five-month operation turned 27 npm packages into durable hosting for browser-run lures that mimic document-sharing portals and Microsoft sign-in, targeting 25 organizations across manufacturing, industrial automation, plastics, and healthcare for credential theft.
By Nicholas Anderson, Kirill Boychenko - Dec 23, 2025