Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
The esm npm package is a lightweight module loader that allows developers to use ES6 modules in Node.js. It enables the use of import and export syntax for working with modules, which is more standardized and often considered cleaner than the traditional CommonJS require syntax.
Import ES6 Modules
Allows the use of ES6 import syntax in Node.js by requiring the esm module and then using it to load other ES6 modules.
require = require('esm')(module)
const { myFunction } = require('./myModule.mjs')
Export ES6 Modules
Enables developers to define modules using ES6 export syntax, which can then be imported by other modules.
// In myModule.mjs
export const myFunction = () => { console.log('Hello ESM!'); }
Dynamic Import
Supports dynamic import() syntax for loading modules asynchronously, which can be useful for code splitting or on-demand loading.
require = require('esm')(module)
const myModule = require('./myModule.mjs')
myModule.then(module => { module.myFunction() })
This package allows you to transpile your ES6+ code on the fly by hooking into Node's require. It is more feature-rich than esm, offering a wide range of plugins to transform your code, but it may be heavier and slower for simple use cases.
While ts-node is primarily for running TypeScript in Node.js without pre-compiling, it also supports ES6+ features. It is similar to esm in that it allows for the use of modern module syntax, but it is specifically tailored for TypeScript.
This package uses esbuild to transpile code when requiring modules. It's similar to esm in that it allows you to use newer syntax, but it also includes TypeScript support and is focused on speed, leveraging the fast esbuild bundler.
The brilliantly simple, babel-less, bundle-less ECMAScript module loader.
esm
is the world’s most advanced ECMAScript module loader. This fast, production ready, zero dependency loader is all you need to support ECMAScript modules in Node 6+. See the release post and video for details!
New projects
Run npm init esm
or yarn create esm
.
:bulb: Use the -y
flag to answer “yes” to all prompts.
Existing projects
Run npm i esm
or yarn add esm
.
There are two ways to enable esm
.
Enable esm
for packages:
Use esm
to load the main ES module and export it as CommonJS.
index.js
// Set options as a parameter, environment variable, or rc file.
require = require("esm")(module/*, options*/)
module.exports = require("./main.js")
main.js
// ESM syntax is supported.
export {}
:bulb: These files are automagically created with npm init esm
or yarn create esm
.
Enable esm
for local runs:
node -r esm main.js
:bulb: Omit the filename to enable esm
in the REPL.
:clap: By default, :100: percent CJS interoperability is enabled so you can get stuff done.
:lock: .mjs
files are limited to basic functionality without support for esm
options.
Out of the box esm
just works, no configuration necessary, and supports:
import
/export
import.meta
import
stdin
, --eval
, --print
flags--check
flag (Node 10+)Specify options with one of the following:
"esm"
field in package.json
.esmrc.js
, .esmrc.cjs
, or .esmrc.mjs
file.esmrc
or .esmrc.json
fileESM_OPTIONS
environment variableESM_DISABLE_CACHE
environment variable{ | |||||||||||||||||||||
"cjs":true | A boolean or object for toggling CJS features in ESM. Features
| ||||||||||||||||||||
"mainFields":["main"] | An array of fields checked when importing a package. | ||||||||||||||||||||
"mode":"auto" | A string mode:
| ||||||||||||||||||||
"await":false | A boolean for top-level | ||||||||||||||||||||
"force":false | A boolean to apply these options to all module loads. | ||||||||||||||||||||
"wasm":false | A boolean for WebAssembly module support. (Node 8+) | ||||||||||||||||||||
} |
{ | |
"cache":true | A boolean for toggling cache creation or a cache directory path. |
"sourceMap":false | A boolean for including inline source maps. |
} |
For bundlers like browserify
+esmify
,
parcel-bundler
, and webpack
add a "module"
field to package.json
pointing to the main ES module.
"main": "index.js",
"module": "main.js"
:bulb: This is automagically done with npm init esm
or yarn create esm
.
esm
for wallaby.js
following their
integration example.Load esm
before loaders/monitors like
@babel/register
,
newrelic
,
sqreen
, and
ts-node
.
Load esm
for jasmine
using the
"helpers"
field in jasmine.json
:
"helpers": [
"node_modules/esm"
]
Load esm
with “node-args" options of:
pm2
: --node-args="-r esm"
Load esm
with “require” options of
ava
,
mocha
,
nodemon
,
nyc
,
qunit
,
tape
, and
webpack
.
:bulb: Builtin require
cannot sideload .mjs
files. However, .js
files
can be sideloaded or .mjs
files may be loaded with dynamic import
.
FAQs
Tomorrow's ECMAScript modules today!
The npm package esm receives a total of 2,205,419 weekly downloads. As such, esm popularity was classified as popular.
We found that esm demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.