Product
Introducing Webhook Events for Alert Changes
Add real-time Socket webhook events to your workflows to automatically receive software supply chain alert changes in real time.
By Phil Gates-Idem -  Nov 21, 2025
🚀 DAY 5 OF LAUNCH WEEK:Introducing Webhook Events for Alert Changes.Learn more →
Do it live
Because npm installing in production every 30 seconds is a great idea, right? ...right?
Quick Start
npm install --save grabthar
Examples
Hot deploy and serve up static files:
import { poll } from 'grabthar';
let watcher = poll({
name: 'my-live-updating-module'
});
app.get('/foo.js', async function handleRequest(req, res) {
const { modulePath } = await watcher.get();
res.sendFile(`${ modulePath }/dist/foo.js`);
});
Or if you're feeling really brave, hot deploy and require new code:
import { poll } from 'grabthar';
let watcher = poll({
name: 'my-live-updating-module'
});
app.get('/api/foo', async function handleRequest(req, res) {
const { getFoo } = await watcher.import();
res.json(getFoo());
});
Deploying
By default grabthar will use the current latest tag of your chosen module, from npm.
So, to deploy and activate new code, just:
npm version patch;
npm publish;
This will automatically set the latest tag to the latest version.
Deploying and activating in different steps
To separate out the deployment and activation of new code, you can make use of different npm dist-tags:
import { poll } from 'grabthar';
let watcher = poll({
name: 'my-live-updating-module',
tags: [ 'latest', 'release' ]
});
app.get('/foo.js', async function handleRequest(req, res) {
const { modulePath } = await watcher.get('release');
res.sendFile(`${ modulePath }/dist/foo.js`);
});
To deploy:
npm version patch;
npm publish;
To activate:
npm dist-tag add my-live-updating-module@x.x.x release
grabthar will monitor and install anything passed in tags, but the activated version will only change when you set a new release dist tag.
Rolling back to old versions
Just change the dist-tag to whatever version you want to roll back to:
npm dist-tag add my-live-updating-module@x.x.x latest
or:
npm dist-tag add my-live-updating-module@x.x.x release
What else will watcher.get() return?
const {
// The root directory where the module is installed, e.g.
// /Users/zippy/__live_modules__/my-live-updating-module_1.3.53
moduleRoot,
// The full path to the node_modules installed, e.g.
// /Users/zippy/__live_modules__/my-live-updating-module_1.3.53/node_modules/
nodeModulesPath,
// The full path to your module, e.g.
// /Users/zippy/__live_modules__/my-live-updating-module_1.3.53/node_modules/my-live-updating-module
modulePath,
// The semver version of your module that is currently installed and activated, e.g.
// 1.3.53
version,
// A map of the dependencies of your module, e.g.
// { foo: '1.2.3', bar: '0.45.2' }
dependencies
} = await watcher.get();
How can I cancel a watcher?
watcher.cancel();
Tests
-
Run the tests:
npm test
5.0.0 (2022-03-22)
âš BREAKING CHANGES
Keywords
FAQs
Periodic npm installs in production
We found that grabthar demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 2 open source maintainers collaborating on the project.
Package last updated on 25 May 2021
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Related posts
Security News
ENISA Becomes a CVE Root, Expanding Its Role in Europe’s Vulnerability Ecosystem
ENISA has become a CVE Program Root, giving the EU a central authority for coordinating vulnerability reporting, disclosure, and cross-border response.
By Sarah Gooding -  Nov 21, 2025
Product
Introducing Socket Scanning for OpenVSX Extensions
Socket now scans OpenVSX extensions, giving teams early detection of risky behaviors, hidden capabilities, and supply chain threats in developer tools.
By Mix Irving, Ryan Eberhardt -  Nov 20, 2025