Research
Security News
Malicious npm Packages Inject SSH Backdoors via Typosquatted Libraries
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
Comlink’s goal is to make [WebWorkers][webworker] enjoyable. Comlink removes the mental barrier of thinking about `postMessage` and hides the fact that you are working with workers.
Comlink’s goal is to make WebWorkers enjoyable. Comlink removes the mental barrier of thinking about postMessage
and hides the fact that you are working with workers.
Note: Comlink’s goal is to be a building-block for higher-level abstraction libraries. For example, take a look at Clooney.
// main.js
const MyClass = Comlink.proxy(new Worker('worker.js'));
// `instance` is an instance of `MyClass` that lives in the worker!
const instance = await new MyClass();
await instance.logSomething(); // logs “myValue = 42”
// worker.js
const myValue = 42;
class MyClass {
logSomething() {
console.log(`myValue = ${myValue}`);
}
}
Comlink.expose(MyClass, self);
Browsers without ES6 Proxy support can use the proxy-polyfill.
Size: ~3.9k, ~1.6k gzip’d
WebWorkers are a web API that allow you to run code in a separate thread. To communicate with another thread, WebWorkers offer the postMessage
API. You can send messages in form of transferable JavaScript objects using myWorker.postMessage(someObject)
, triggering a message
event inside the worker.
Comlink turns this messaged-based API into a something more developer-friendly: Values from one thread can be used within the other thread (and vice versa) just like local values.
Comlink can be used with anything that offers postMessage
like windows, iframes and ServiceWorkers.
You can download Comlink from the dist folder. Alternatively, you can install it via npm
$ npm install --save comlinkjs
or use a CDN like delivrjs:
https://cdn.jsdelivr.net/npm/comlinkjs@3.0.0/comlink.js
There’s a collection of examples in the examples directory.
The Comlink module exports 3 functions:
Comlink.proxy(endpoint)
Returns the value that is exposed on the other side of
endpoint
.
proxy
creates an ES6 proxy and sends all operations performed on that proxy through endpoint
. endpoint
can be a Window
, a Worker
or a MessagePort
.* The other endpoint of the channel should be passed to Comlink.expose
.
If you invoke function, all parameters will be structurally cloned or transferred if they are transferable. If you want to pass a function as a parameters (e.g. callbacks), make sure to use proxyValue
(see below). Same applies to the return value of a function.
*) Technically it can be any object with postMessage
, addEventListener
and
removeEventListener
.
Comlink.expose(obj, endpoint)
Exposes
obj
toendpoint
. UseComlink.proxy
on the other end ofendpoint
.
expose
is the counter-part to proxy
. It listens for RPC messages on endpoint
and applies the operations to obj
. Return values of functions will be structurally cloned or transfered if they are transferable.
Comlink.proxyValue(value)
Makes sure a parameter or return value is proxied, not copied.
By default, all parameters to a function are copied (structural clone):
// main.js
const api = Comlink.proxy(new Worker('worker.js'));
const obj = {x: 0};
await api.setXto4(obj);
console.log(obj.x); // logs 0
The worker receives a copy of obj
, so any mutation of obj
done by the worker won’t affect the original object. If the value should not be copied but instead be proxied, use Comlink.proxyValue
:
- await api.setXto4(obj);
+ await api.setXto4(Comlink.proxyValue(obj));
console.log(obj.x)
will now log 4.
Keep in mind that functions cannot be copied. Unless they are used in combination with Comlink.proxyValue
, they will get discarded during copy.
License Apache-2.0
FAQs
Comlink’s goal is to make [WebWorkers][webworker] enjoyable. Comlink removes the mental barrier of thinking about `postMessage` and hides the fact that you are working with workers.
The npm package comlinkjs receives a total of 271 weekly downloads. As such, comlinkjs popularity was classified as not popular.
We found that comlinkjs demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
Security News
MITRE's 2024 CWE Top 25 highlights critical software vulnerabilities like XSS, SQL Injection, and CSRF, reflecting shifts due to a refined ranking methodology.
Security News
In this segment of the Risky Business podcast, Feross Aboukhadijeh and Patrick Gray discuss the challenges of tracking malware discovered in open source softare.