Research
Security News
Malicious npm Packages Inject SSH Backdoors via Typosquatted Libraries
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
An RPC library that works on windows, iframes, WebWorkers and ServiceWorkers.
An RPC library that works on windows, iframes, WebWorkers and ServiceWorkers.
TL;DR: With Comlink you can work on objects from another JavaScript realm
(like a Worker or an iframe) as if it was a local object. Just use await
whenever the remote value is involed.
$ npm install --save comlinkjs
Comlink allows you to expose an arbitrary JavaScript value (objects, classes,
functions, etc) to the endpoint of an communications channel. Anything that
works with postMessage
can be used as a communication channel. on the other
end of that channel you can use Comlink to synthesize an ES6 proxy. Every action
performed on that proxy object will be serialized using a simple (and naïve) RPC
protocol and be applied to the exposed value on the other side.
// index.html
<!doctype html>
<script src="../../dist/comlink.global.js"></script>
<script>
const worker = new Worker('worker.js');
// WebWorkers use `postMessage` and therefore work with Comlink.
const api = Comlink.proxy(worker);
async function init() {
// Note the usage of `await`.
const app = await new api.App();
console.log(`Counter: ${await app.count}`);
await app.inc();
console.log(`Counter: ${await app.count}`);
};
init();
</script>
// worker.js
importScripts('../dist/comlink.global.js');
class App {
constructor() {
this._counter = 0;
}
get count() {
return this._counter;
}
inc() {
this._counter++;
}
}
Comlink.expose({App}, self);
The Comlink module is provided in 3 different formats:
“es6”: This package uses the native ES6 module format. Due to some
hackery, the module exports an Comlin
object. Import it as follows:
import {Comlink} from '../dist/comlink.es6.js';
// ...
“global”: This package adds a Comlink
namespace on self
. Useful
for workers or projects without a module loader.
“umd”: This package uses UMD so it is compatible with AMD, CommonJS and requireJS.
These packages can be mixed and matched. A worker using global
can work
with a Window using es6
. For the sake of network conversation, I do recommend
sticking to one format, though.
The Comlink module exports 3 functions:
proxy(endpoint)
proxy
creates an ES6 proxy and sends all operations through the channel behind
endpoint
. On the other end of the channel should be passed to expose
.
expose: (rootObj, endpoint)
expose
listens for RPC messages on endpoint
and applies the operations to
rootObj
. The return value will be structurally cloned and sent back. Values
that implement the Transferable
interface, will be transferred.
proxyValue(value)
If structurally cloning a value is undesired, wrapping the value in proxyValue
will cause expose
to instead send back a MessagePort
that
will be hooked up to a new proxy on the other end.
License Apache-2.0
FAQs
Comlink’s goal is to make [WebWorkers][webworker] enjoyable. Comlink removes the mental barrier of thinking about `postMessage` and hides the fact that you are working with workers.
The npm package comlinkjs receives a total of 271 weekly downloads. As such, comlinkjs popularity was classified as not popular.
We found that comlinkjs demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
Security News
MITRE's 2024 CWE Top 25 highlights critical software vulnerabilities like XSS, SQL Injection, and CSRF, reflecting shifts due to a refined ranking methodology.
Security News
In this segment of the Risky Business podcast, Feross Aboukhadijeh and Patrick Gray discuss the challenges of tracking malware discovered in open source softare.