Research
Security News
Malicious npm Packages Inject SSH Backdoors via Typosquatted Libraries
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
event-source-plus
Advanced tools
A more configurable EventSource implementation that runs in browsers, NodeJS, and workers. The default browser EventSource API is too limited. Event Source Plus fixes that.
# npm
npm i event-source-plus
# pnpm
pnpm i event-source-plus
import { EventSourcePlus } from "event-source-plus";
const eventSource = new EventSourcePlus("https://example.com");
eventSource.listen({
onMessage(message) {
console.log(message);
},
});
The listen()
method returns a controller that you can use to abort the request.
const controller = eventSource.listen({
onMessage(message) {
console.log(message);
},
});
controller.abort();
The EventSourcePlus
constructor allows you to pass additional fetch options such as method
, body
, and headers
.
const eventSource = new EventSourcePlus("https://example.com", {
method: "post",
body: JSON.stringify({ message: "hello world" }),
headers: {
"Content-Type": "application/json",
},
});
You can also pass in a custom fetch
implementation, which is useful for environments that don't natively support fetch
.
const eventSource = new EventSourcePlus("https://example.com", {
fetch: myCustomFetch,
});
Headers can be set by passing an object or a function. The function may return a header object or a promise that resolves to a header object.
// object syntax //
const eventSource = new EventSourcePlus("https://example.com", {
// this value will remain the same for every request
headers: {
Authorization: "some-token",
},
});
// function syntax //
function getHeaders() {
return {
Authorization: "some-token",
};
}
const eventSource = new EventSourcePlus("https://example.com", {
// this function will rerun every time a request is sent
headers: getHeaders,
});
// async function syntax //
async function getHeaders() {
const token = await getSomeToken();
return {
Authorization: token,
};
}
const eventSource = new EventSourcePlus("https://example.com", {
// this function will rerun every time a request is sent
headers: getHeaders,
});
The function syntax is especially useful when dealing with authentication because it allows you to always get a fresh auth token. This usually a pain point when working other SSE client libraries.
By default this library will automatically retry the request indefinitely with exponential backoff maxing out at 30 seconds. Both those these values can be adjusted when initializing the EventSourcePlus
class.
const eventSource = new EventSourcePlus("https://example.com", {
// automatically retry up to 100 times (default is 'undefined')
maxRetryCount: 100,
// set exponential backoff to max out at 10000 ms (default is "30000")
maxRetryInterval: 10000,
});
Additionally, you can abort the request inside listen hooks using the EventSourceController
// abort the request if we receive 10 server errors
let errCount = 0;
const controller = eventSource.listen({
onMessage(data) {},
onResponseError({ request, response, options }) {
errCount++;
if (errCount >= 10) {
controller.abort();
}
},
});
This library has two retry strategies. always
and on-error
.
always
is the default. It will always attempt to keep the connection open after it has been closed. This is useful for most realtime applications which need to keep a persistent connection with the backend.
on-error
will only retry if an error occurred. If an event stream was successfully received by the client it will not reconnect after the connection is closed. This is useful for short lived streams that have a fixed length (For example LLM response streams) since it means you no longer need to listen for a "DONE" event to close the connection.
To change the retry strategy simply update the retryStrategy
option:
const eventSource = new EventSourcePlus("https://example.com", {
retryStrategy: "on-error",
});
The on-error
strategy is a BETA feature. If you are using this in your LLM applications or for other purposes please give feedback so that I can make sure all edge cases are being accounted for.
The listen()
method has the following hooks:
onMessage
onRequest
onRequestError
onResponse
onResponseError
The only required hook is onMessage
.
onMessage(message)
onMessage
is called whenever receiving a new Server Sent Event from the server.
eventSource.listen({
onMessage(message) {
console.log(message);
},
});
onRequest({ request, options })
onRequest
is called as soon as a request is constructed. This allows you to modify the request or do simple logging.
eventSource.listen({
onRequest({ request, options }) {
console.log(request, options);
// add current time query search params
options.query = options.query || {};
options.query.t = new Date();
},
});
onRequestError({request, options, error})
onRequestError
will be called when the request fails.
eventSource.listen({
async onRequestError({ request, options, error }) {
console.log(`[request error]`, request, error);
},
});
Some example errors might be Connection refused
or Failed to parse URL
onResponse({ request, options, response })
onResponse
will be called after receiving a response from the server.
eventSource.listen({
async onResponse({ request, response, options }) {
console.log(`Received status code: ${response.status}`);
},
});
onResponseError({ request, options, response })
onResponseError
will fire if one of the following conditions have been met
response.ok
is not true
(i.e. server returned an error status code)Content-Type
header sent by the server doesn't include text/event-stream
eventSource.listen({
async onResponseError({ request, response, options }) {
console.log(
`[response error]`,
request,
response.status,
response.body,
);
},
});
Pull requests and issue reports are welcome.
Before submitting a PR please ensure that you have run the following commands and there are no errors.
pnpm run lint
pnpm run format
(For VSCode users "formatOnSave" is set to true. So the formatting step may be unnecessary)
Integration tests and unit tests get run by CI.
FAQs
A better EventSource API
The npm package event-source-plus receives a total of 1,825 weekly downloads. As such, event-source-plus popularity was classified as popular.
We found that event-source-plus demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 0 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
Security News
MITRE's 2024 CWE Top 25 highlights critical software vulnerabilities like XSS, SQL Injection, and CSRF, reflecting shifts due to a refined ranking methodology.
Security News
In this segment of the Risky Business podcast, Feross Aboukhadijeh and Patrick Gray discuss the challenges of tracking malware discovered in open source softare.