Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Utilities you'll need when migrating to ESModule.
yarn add esm-utils
import createEsmUtils from 'esm-utils'
const {
require,
dirname,
filename,
json,
} = createEsmUtils(import.meta)
createEsmUtils(import.meta)
Returns an object
with the following properties:
require
dirname
(alias __dirname
)filename
(alias __filename
)json
Please read this note before you use dirname
and filename
json.load(string | URL)
Returns Promise<jsonObject>
.
json.loadSync(string | URL)
Sync version of json.load
.
With Import Assertions
import foo from './foo.json' assert {type: 'json'}
await import('./foo.json', {assert: {type: 'json'}})
With require
, like CommonJS
import createEsmUtils from 'esm-utils'
const {require} = createEsmUtils(import.meta)
const foo = require('./foo.json')
With json.load
or json.loadSync
import createEsmUtils from 'esm-utils'
const {json} = createEsmUtils(import.meta)
const foo = await json.load('./foo.json')
import createEsmUtils from 'esm-utils'
const {json} = createEsmUtils(import.meta)
const foo = json.loadSync('./foo.json')
dirname
and filename
The dirname
and filename
supposed to be a quick solution when migrating to ES Modules. In most cases, you don't need them, because many APIs accept URL
directly.
/* BAD */
import fs from 'node:fs/promises'
import path from 'node:path'
import createEsmUtils from 'esm-utils'
const {dirname} = createEsmUtils(import.meta)
const buffer = await fs.readFile(
path.join(dirname, './path/to/file')
)
/* GOOD */
import fs from 'node:fs/promises'
const buffer = await fs.readFile(
new URL('./path/to/file', import.meta.url)
)
FAQs
Utilities you'll need when migrating to ESModule.
We found that esm-utils demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.