Research
Security News
Malicious npm Packages Inject SSH Backdoors via Typosquatted Libraries
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
The core-js npm package is a modular standard library for JavaScript, which includes polyfills for ECMAScript features. It provides reliable polyfills to ensure that code behaves consistently across different environments, including older browsers.
Polyfilling ECMAScript features
This feature allows developers to use the latest ECMAScript features while ensuring backward compatibility with older environments that do not support these features natively.
require('core-js/stable');
// Now you can use ES6 features like Promise in environments that do not support them natively.
Polyfilling Web Standards
Core-js can also polyfill web standards, allowing developers to use modern web APIs in environments that have not implemented them.
require('core-js/web');
// This includes polyfills for web standards like DOM collections (e.g., NodeList), timers, and more.
Polyfilling Proposals
Developers can experiment with proposed ECMAScript features before they are finalized and adopted into the standard, ensuring forward compatibility.
require('core-js/proposals');
// This will include polyfills for ECMAScript proposals that are not yet part of the standard.
Babel-polyfill is a package that provides polyfills necessary for a full ES2015+ environment. It is similar to core-js but is more tightly coupled with Babel's transpilation process.
The es6-shim package provides polyfills for ECMAScript 6 (aka ECMAScript 2015) features. It is similar to core-js but focuses specifically on ES6 features and does not cover proposals or web standards.
The polyfill-service by Financial Times is an online service that provides polyfills based on the user's browser. It is different from core-js in that it is a service rather than a package you include in your project, but it serves a similar purpose in polyfilling features.
Modular standard library for JavaScript. Includes polyfills for ECMAScript up to 2023: promises, symbols, collections, iterators, typed arrays, many other features, ECMAScript proposals, some cross-platform WHATWG / W3C features and proposals like
URL
. You can load only required features or use it without global namespace pollution.
core-js
isn't backed by a company, so the future of this project depends on you. Become a sponsor or a backer if you are interested in core-js
: Open Collective, Patreon, Boosty, Bitcoin ( bc1qlea7544qtsmj2rayg0lthvza9fau63ux0fstcz ), Alipay.
import 'core-js/actual';
Promise.resolve(42).then(it => console.log(it)); // => 42
Array.from(new Set([1, 2, 3]).union(new Set([3, 4, 5]))); // => [1, 2, 3, 4, 5]
[1, 2].flatMap(it => [it, it]); // => [1, 1, 2, 2]
(function * (i) { while (true) yield i++; })(1)
.drop(1).take(5)
.filter(it => it % 2)
.map(it => it ** 2)
.toArray(); // => [9, 25]
structuredClone(new Set([1, 2, 3])); // => new Set([1, 2, 3])
You can load only required features:
import 'core-js/actual/promise';
import 'core-js/actual/set';
import 'core-js/actual/iterator';
import 'core-js/actual/array/from';
import 'core-js/actual/array/flat-map';
import 'core-js/actual/structured-clone';
Promise.resolve(42).then(it => console.log(it)); // => 42
Array.from(new Set([1, 2, 3]).union(new Set([3, 4, 5]))); // => [1, 2, 3, 4, 5]
[1, 2].flatMap(it => [it, it]); // => [1, 1, 2, 2]
(function * (i) { while (true) yield i++; })(1)
.drop(1).take(5)
.filter(it => it % 2)
.map(it => it ** 2)
.toArray(); // => [9, 25]
structuredClone(new Set([1, 2, 3])); // => new Set([1, 2, 3])
Or use it without global namespace pollution:
import Promise from 'core-js-pure/actual/promise';
import Set from 'core-js-pure/actual/set';
import Iterator from 'core-js-pure/actual/iterator';
import from from 'core-js-pure/actual/array/from';
import flatMap from 'core-js-pure/actual/array/flat-map';
import structuredClone from 'core-js-pure/actual/structured-clone';
Promise.resolve(42).then(it => console.log(it)); // => 42
from(new Set([1, 2, 3]).union(new Set([3, 4, 5]))); // => [1, 2, 3, 4, 5]
flatMap([1, 2], it => [it, it]); // => [1, 1, 2, 2]
Iterator.from(function * (i) { while (true) yield i++; }(1))
.drop(1).take(5)
.filter(it => it % 2)
.map(it => it ** 2)
.toArray(); // => [9, 25]
structuredClone(new Set([1, 2, 3])); // => new Set([1, 2, 3])
It's a global version (first 2 examples), for more info see core-js
documentation.
Iterator
helpers proposal:
Iterator
Iterator.from
Iterator.prototype.drop
Iterator.prototype.every
Iterator.prototype.filter
Iterator.prototype.find
Iterator.prototype.flatMap
Iterator.prototype.forEach
Iterator.prototype.map
Iterator.prototype.reduce
Iterator.prototype.some
Iterator.prototype.take
Iterator.prototype.toArray
Iterator.prototype[@@toStringTag]
es.
namespace modules, /es/
and /stable/
namespaces entriesPromise.try
:
Promise.try
es.
namespace module, /es/
and /stable/
namespaces entries/actual|full/promise/try
entries for the callback arguments supportMath.sumPrecise
proposal:
Math.sumPrecise
/actual/
namespace entries, unconditional forced replacement changed to feature detectionIterator
sequencing stage 2.7 proposal:
Iterator.concat
Map
upsert stage 2 proposal:
Map.prototype.getOrInsert
Map.prototype.getOrInsertComputed
WeakMap.prototype.getOrInsert
WeakMap.prototype.getOrInsertComputed
@@species
pattern removed from %TypedArray%
and ArrayBuffer
methods, tc39/ecma262/3450:
%TypedArray%.prototype.filter
%TypedArray%.prototype.filterReject
%TypedArray%.prototype.map
%TypedArray%.prototype.slice
%TypedArray%.prototype.subarray
ArrayBuffer.prototype.slice
Uint8Array
to / from base64 and hex proposal methods marked as shipped from FF133self
descriptor is fixed in Deno 1.46.0Iterator
helpers proposal methods marked as shipped from Bun 1.1.31FAQs
Standard library
The npm package core-js receives a total of 31,808,615 weekly downloads. As such, core-js popularity was classified as popular.
We found that core-js demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
Security News
MITRE's 2024 CWE Top 25 highlights critical software vulnerabilities like XSS, SQL Injection, and CSRF, reflecting shifts due to a refined ranking methodology.
Security News
In this segment of the Risky Business podcast, Feross Aboukhadijeh and Patrick Gray discuss the challenges of tracking malware discovered in open source softare.