Research
2025 Report: Destructive Malware in Open Source Packages
Destructive malware is rising across open source registries, using delays and kill switches to wipe code, break builds, and disrupt CI/CD.
By Kush Pandya - Dec 24, 2025
hyperapp-lifecycle
Advanced tools
hyperapp-lifecycle
Small wrapper for Hyperapp and Superfine to emulate connected and disconnected lifecycle events
╭──╮ ╭───┬╮ ╭────╮
╭──╮ ├──┤ │ │ │ ─ │ ╭────╮
╭────◉ connected │ │ │ │ │ ─┤ │ │ │ ╭──╯ ╭──╮╭╮
│ │ │ │ │ │ ╭╯ │ `○─┤ │ ╰──╮ │ │││ ╭────╮
╭─┴─╮ ╭──╮╭╮ │ │ ╰──╯ ╰───╯ ╰────╯ │ │ │ ╰╯│ │ ╭──╯ ╭──╮ ╭────╮
│ ╰╮ │ │││ ╭────╮ ╰──╯ ╰────╯ ├─── │ │ ╰──╮ │ │ │ ○ │
│ │ │ ╰╯│ │ ╭╮│ ╭────╮ \||/ ╭────╮ ╭────╮ ╰────╯ │ │ │ │ │ │
│ ╭╮│ ├──○ │ │ ╰╯│ │ ─ │ ╭──┬─╮ ╭(oo)╮ │ ╭╮│ │ ╭╮│ ╰────╯ │ │ │ ───┤
╰──╯╰╯ ╰────╯ │ ╭╯ │ │ │ │ ├─── │ │ ╰╯│ │ ╰╯│ ╰──╯ ╰──┬─╯
╰───╯ │ ───┤ │ ╭╯ │╭╮ │ │ ╭╯ │ ╭╯ disconnected ◉───────╯
╰────╯ │ │ │╰╯ │ ╰───╯ ╰───╯
╰───╯ ╰──┴─╯
Small wrapper for Hyperapp and Superfine to emulate
connectedanddisconnectedlifecycle events.
Overview
Hyperapp is super tiny ui framework that is centered around app state with awesome flexibility and rich ecosystem. With super lean code however, it is inevitable that some features that we might be used to aren't available in the core library.
One such feature is the ability to grab the reference of a newly created or being removed DOM node. I found myself wanting this feature since I started using Hyperapp few weeks ago and this package is one possible answer for this requirement.
What do you get
Ability to listen to two lifecycle events, connected and disconnected similar to connectedCallback and disconnectedCallback methods in custom elements.
Usage
Full app lifecycle events coverage including app root node.
import * as hyperapp from 'https://unpkg.com/hyperapp?module'
import { timeout } from 'https://unpkg.com/@hyperapp/time?module'
import { lifecycle } from 'https://unpkg.com/hyperapp-lifecycle?module'
const { app, h } = lifecycle(hyperapp)
const Log = type => (state, evt) => console.log(`${type}:`, evt.target.tagName) || state
const RemoveWorld = state => ({ ...state, world: false })
const init = { world: true }
const view = state =>
h('section', { onconnected: Log('Connected') }, // Connected: SECTION
h('main', { onconnected: Log('Connected') }, // Connected: MAIN
h('div', { onconnected: Log('Connected') }, // Connected: DIV
h('span', { style: { color: 'green' } }, 'Hello'),
state.world && // Disconnected: SPAN
h('span', { ondisconnected: Log('Disconnected'), style: { color: 'blue' } }, ' World')
)
),
h('p', null, h('i', null, 'open browser console to see events print out'))
)
const subscriptions = state => [timeout(RemoveWorld, { delay: 1000 })]
app({ init, view, node, subscriptions })
Notice that, the custom event target is the DOM node that defined the event handler.
Lite mode
Lite mode features a supplementary function l that can be used as needed and where h remains unchanged. This gives more control on which nodes are allowed to fire lifecycle events for their children. The root node lifecycle events will be triggered as in full coverage mode.
The main point here to be aware of -as shown by the example below- is that, the use of l will ensure lifecycle events for children nodes and not for the node itself.
import * as hyperapp from 'https://unpkg.com/hyperapp?module'
import { timeout } from 'https://unpkg.com/@hyperapp/time?module'
import { lifecycle } from 'https://unpkg.com/hyperapp-lifecycle?module'
const { app, h, l } = lifecycle(hyperapp, /* lite mode */ true)
const Log = type => (state, evt) => console.log(`${type}:`, evt.target.tagName) || state
const RemoveWorld = state => ({ ...state, world: false })
const init = { world: true }
const view = state =>
h('section', { onconnected: Log('Connected') }, // Connected: SECTION
h('main', { onconnected: Log('Connected') },
l('div', { onconnected: Log('Connected') },
h('span', { style: { color: 'green' } }, 'Hello'),
state.world && // Disconnected: SPAN
h('span', { ondisconnected: Log('Disconnected'), style: { color: 'blue' } }, ' World')
)
),
h('p', null, h('i', null, 'open browser console to see events print out'))
)
const subscriptions = state => [timeout(RemoveWorld, { delay: 1000 })]
app({ init, view, node, subscriptions })
Superfine
The same works for the Superfine library, yay!
import * as superfine from 'https://unpkg.com/superfine?module'
import { timeout } from 'https://unpkg.com/@hyperapp/time?module'
import { lifecycle } from 'https://unpkg.com/hyperapp-lifecycle?module'
const { patch, h } = lifecycle(superfine)
const Log = type => evt => console.log(`${type}:`, evt.target.tagName)
const RemoveWorld = state => ({ ...state, world: false })
const init = { world: true }
const view = state =>
h('section', { onconnected: Log('Connected') }, // Connected: SECTION
h('main', { onconnected: Log('Connected') }, // Connected: MAIN
h('div', { onconnected: Log('Connected') }, // Connected: DIV
h('span', { style: 'color:green;' }, 'Hello'),
state.world && // Disconnected: SPAN
h('span', { ondisconnected: Log('Disconnected'), style: 'color:blue;' }, ' World')
)
),
h('p', null, h('i', null, 'open browser console to see events print out'))
)
const app = state => patch(node, view(state))
app(init)
setTimeout(()=> app(RemoveWorld(init)), 1000)
Credits
This package is based on the work of Sergey Shpak as can be viewed here. The code performs black magic to hijack few of the node DOM methods in order to fire custom events. In addition to adding few extra features, the original code was slightly modified to ensure connected events are fired on appendChild and insertBefore calls.
Support
Need help or have a question? post a questions at StackOverflow
Please don't use the issue trackers for support/questions.
Contributions
Happy to accept external contributions to the project in the form of feedback, bug reports and even better - pull requests
Copyright and license
MIT license Copyright (c) Web Semantics, Inc.
FAQs
Small wrapper for Hyperapp and Superfine to emulate connected and disconnected lifecycle events
We found that hyperapp-lifecycle demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Package last updated on 29 Oct 2019
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Related posts
Security News
Engineering with AI Podcast: The Promise of AI-First Development
Socket CTO Ahmad Nassri shares practical AI coding techniques, tools, and team workflows, plus what still feels noisy and why shipping remains human-led.
By Sarah Gooding - Dec 24, 2025
Research
/Security News
Spearphishing Campaign Abuses npm Registry to Target U.S. and Allied Manufacturing and Healthcare Organizations
A five-month operation turned 27 npm packages into durable hosting for browser-run lures that mimic document-sharing portals and Microsoft sign-in, targeting 25 organizations across manufacturing, industrial automation, plastics, and healthcare for credential theft.
By Nicholas Anderson, Kirill Boychenko - Dec 23, 2025