Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Comlink is a utility that simplifies the process of working with Web Workers and other forms of remote communication in JavaScript. It allows you to expose and call functions across different execution contexts, such as between the main thread and a Web Worker, as if they were local functions.
Basic Usage
This example demonstrates the basic usage of Comlink to expose an object in a Web Worker and call its methods from the main thread.
const { wrap } = require('comlink');
// worker.js
const obj = {
counter: 0,
increment() {
this.counter++;
return this.counter;
}
};
Comlink.expose(obj);
// main.js
const worker = new Worker('worker.js');
const remoteObj = wrap(worker);
(async () => {
console.log(await remoteObj.increment()); // 1
console.log(await remoteObj.increment()); // 2
})();
Transferable Objects
This example shows how to use Comlink with transferable objects, such as ArrayBuffers, to efficiently transfer data between the main thread and a Web Worker.
const { wrap, transfer } = require('comlink');
// worker.js
const obj = {
processArray(buffer) {
// Process the buffer
return buffer;
}
};
Comlink.expose(obj);
// main.js
const worker = new Worker('worker.js');
const remoteObj = wrap(worker);
const buffer = new ArrayBuffer(8);
(async () => {
const result = await remoteObj.processArray(transfer(buffer, [buffer]));
console.log(result); // ArrayBuffer(8)
})();
Class Instances
This example demonstrates how to use Comlink to expose class instances in a Web Worker and interact with them from the main thread.
const { wrap } = require('comlink');
// worker.js
class Counter {
constructor() {
this.value = 0;
}
increment() {
this.value++;
return this.value;
}
}
Comlink.expose(Counter);
// main.js
const worker = new Worker('worker.js');
const RemoteCounter = wrap(worker);
(async () => {
const counter = await new RemoteCounter();
console.log(await counter.increment()); // 1
console.log(await counter.increment()); // 2
})();
Workerize is a library that automatically moves a module into a Web Worker and proxies calls to it. It is similar to Comlink in that it simplifies the use of Web Workers, but it is more focused on automatically converting entire modules into workers, whereas Comlink provides more granular control over exposing and calling individual functions or objects.
Threads is a library for creating and managing Web Workers with a focus on simplicity and type safety. It provides a higher-level API compared to Comlink, with built-in support for TypeScript and more structured worker management. While Comlink offers more flexibility in exposing and calling functions, Threads aims to provide a more streamlined and type-safe experience.
Greenlet is a micro-library that allows you to run a function in a Web Worker and return a promise for its result. It is similar to Comlink in that it simplifies the use of Web Workers, but it is more lightweight and focused on running individual functions rather than exposing entire objects or classes.
Comlink makes WebWorkers enjoyable. Comlink is a tiny library (1.1kB), that removes the mental barrier of thinking about postMessage
and hides the fact that you are working with workers.
At a more abstract level it is an RPC implementation for postMessage
and ES6 Proxies.
$ npm install --save comlink
Browsers without ES6 Proxy support can use the proxy-polyfill.
Size: ~2.5k, ~1.2k gzip’d, ~1.1k brotli’d
On mobile phones, and especially on low-end mobile phones, it is important to keep the main thread as idle as possible so it can respond to user interactions quickly and provide a jank-free experience. The UI thread ought to be for UI work only. WebWorkers are a web API that allow you to run code in a separate thread. To communicate with another thread, WebWorkers offer the postMessage
API. You can send JavaScript objects as messages using myWorker.postMessage(someObject)
, triggering a message
event inside the worker.
Comlink turns this messaged-based API into a something more developer-friendly by providing an RPC implementation: Values from one thread can be used within the other thread (and vice versa) just like local values.
main.js
import * as Comlink from "https://unpkg.com/comlink/dist/esm/comlink.mjs";
async function init() {
const worker = new Worker("worker.js");
// WebWorkers use `postMessage` and therefore work with Comlink.
const obj = Comlink.wrap(worker);
alert(`Counter: ${await obj.counter}`);
await obj.inc();
alert(`Counter: ${await obj.counter}`);
}
init();
worker.js
importScripts("https://unpkg.com/comlink/dist/umd/comlink.js");
// importScripts("../../../dist/umd/comlink.js");
const obj = {
counter: 0,
inc() {
this.counter++;
},
};
Comlink.expose(obj);
main.js
import * as Comlink from "https://unpkg.com/comlink/dist/esm/comlink.mjs";
// import * as Comlink from "../../../dist/esm/comlink.mjs";
function callback(value) {
alert(`Result: ${value}`);
}
async function init() {
const remoteFunction = Comlink.wrap(new Worker("worker.js"));
await remoteFunction(Comlink.proxy(callback));
}
init();
worker.js
importScripts("https://unpkg.com/comlink/dist/umd/comlink.js");
// importScripts("../../../dist/umd/comlink.js");
async function remoteFunction(cb) {
await cb("A string from a worker");
}
Comlink.expose(remoteFunction);
SharedWorker
When using Comlink with a SharedWorker
you have to:
port
property, of the SharedWorker
instance, when calling Comlink.wrap
.Comlink.expose
within the onconnect
callback of the shared worker.Pro tip: You can access DevTools for any shared worker currently running in Chrome by going to: chrome://inspect/#workers
main.js
import * as Comlink from "https://unpkg.com/comlink/dist/esm/comlink.mjs";
async function init() {
const worker = new SharedWorker("worker.js");
/**
* SharedWorkers communicate via the `postMessage` function in their `port` property.
* Therefore you must use the SharedWorker's `port` property when calling `Comlink.wrap`.
*/
const obj = Comlink.wrap(worker.port);
alert(`Counter: ${await obj.counter}`);
await obj.inc();
alert(`Counter: ${await obj.counter}`);
}
init();
worker.js
importScripts("https://unpkg.com/comlink/dist/umd/comlink.js");
// importScripts("../../../dist/umd/comlink.js");
const obj = {
counter: 0,
inc() {
this.counter++;
},
};
/**
* When a connection is made into this shared worker, expose `obj`
* via the connection `port`.
*/
onconnect = function (event) {
const port = event.ports[0];
Comlink.expose(obj, port);
};
// Single line alternative:
// onconnect = (e) => Comlink.expose(obj, e.ports[0]);
For additional examples, please see the docs/examples directory in the project.
Comlink.wrap(endpoint)
and Comlink.expose(value, endpoint?, allowedOrigins?)
Comlink’s goal is to make exposed values from one thread available in the other. expose
exposes value
on endpoint
, where endpoint
is a postMessage
-like interface and allowedOrigins
is an array of
RegExp or strings defining which origins should be allowed access (defaults to special case of ['*']
for all origins).
wrap
wraps the other end of the message channel and returns a proxy. The proxy will have all properties and functions of the exposed value, but access and invocations are inherently asynchronous. This means that a function that returns a number will now return a promise for a number. As a rule of thumb: If you are using the proxy, put await
in front of it. Exceptions will be caught and re-thrown on the other side.
Comlink.transfer(value, transferables)
and Comlink.proxy(value)
By default, every function parameter, return value and object property value is copied, in the sense of structured cloning. Structured cloning can be thought of as deep copying, but has some limitations. See this table for details.
If you want a value to be transferred rather than copied — provided the value is or contains a Transferable
— you can wrap the value in a transfer()
call and provide a list of transferable values:
const data = new Uint8Array([1, 2, 3, 4, 5]);
await myProxy.someFunction(Comlink.transfer(data, [data.buffer]));
Lastly, you can use Comlink.proxy(value)
. When using this Comlink will neither copy nor transfer the value, but instead send a proxy. Both threads now work on the same value. This is useful for callbacks, for example, as functions are neither structured cloneable nor transferable.
myProxy.onready = Comlink.proxy((data) => {
/* ... */
});
It is common that you want to use Comlink to add an event listener, where the event source is on another thread:
button.addEventListener("click", myProxy.onClick.bind(myProxy));
While this won’t throw immediately, onClick
will never actually be called. This is because Event
is neither structured cloneable nor transferable. As a workaround, Comlink offers transfer handlers.
Each function parameter and return value is given to all registered transfer handlers. If one of the event handler signals that it can process the value by returning true
from canHandle()
, it is now responsible for serializing the value to structured cloneable data and for deserializing the value. A transfer handler has be set up on both sides of the message channel. Here’s an example transfer handler for events:
Comlink.transferHandlers.set("EVENT", {
canHandle: (obj) => obj instanceof Event,
serialize: (ev) => {
return [
{
target: {
id: ev.target.id,
classList: [...ev.target.classList],
},
},
[],
];
},
deserialize: (obj) => obj,
});
Note that this particular transfer handler won’t create an actual Event
, but just an object that has the event.target.id
and event.target.classList
property. Often, this is enough. If not, the transfer handler can be easily augmented to provide all necessary data.
Comlink.releaseProxy
Every proxy created by Comlink has the [releaseProxy]()
method.
Calling it will detach the proxy and the exposed object from the message channel, allowing both ends to be garbage collected.
const proxy = Comlink.wrap(port);
// ... use the proxy ...
proxy[Comlink.releaseProxy]();
If the browser supports the WeakRef proposal, [releaseProxy]()
will be called automatically when the proxy created by wrap()
gets garbage collected.
Comlink.finalizer
If an exposed object has a property [Comlink.finalizer]
, the property will be invoked as a function when the proxy is being released. This can happen either through a manual invocation of [releaseProxy]()
or automatically during garbage collection if the runtime supports the WeakRef proposal (see Comlink.releaseProxy
above). Note that when the finalizer function is invoked, the endpoint is closed and no more communication can happen.
Comlink.createEndpoint
Every proxy created by Comlink has the [createEndpoint]()
method.
Calling it will return a new MessagePort
, that has been hooked up to the same object as the proxy that [createEndpoint]()
has been called on.
const port = myProxy[Comlink.createEndpoint]();
const newProxy = Comlink.wrap(port);
Comlink.windowEndpoint(window, context = self, targetOrigin = "*")
Windows and Web Workers have a slightly different variants of postMessage
. If you want to use Comlink to communicate with an iframe or another window, you need to wrap it with windowEndpoint()
.
window
is the window that should be communicate with. context
is the EventTarget
on which messages from the window
can be received (often self
). targetOrigin
is passed through to postMessage
and allows to filter messages by origin. For details, see the documentation for Window.postMessage
.
For a usage example, take a look at the non-worker examples in the docs
folder.
Comlink does provide TypeScript types. When you expose()
something of type T
, the corresponding wrap()
call will return something of type Comlink.Remote<T>
. While this type has been battle-tested over some time now, it is implemented on a best-effort basis. There are some nuances that are incredibly hard if not impossible to encode correctly in TypeScript’s type system. It may sometimes be necessary to force a certain type using as unknown as <type>
.
Comlink works with Node’s worker_threads
module. Take a look at the example in the docs
folder.
License Apache-2.0
FAQs
Comlink makes WebWorkers enjoyable
We found that comlink demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 3 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.