Research
Security News
Malicious npm Packages Inject SSH Backdoors via Typosquatted Libraries
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
Fast 3kb React alternative with the same ES6 API. Components & Virtual DOM.
Fast 3kB alternative to React, with the same ES2015 API.
All the power of Virtual DOM components, without the overhead:
Preact supports modern browsers and IE9+:
shouldComponentUpdate
helper.Want to prototype something or speed up your development? Try one of these toolkits:
💁 Note: You don't need ES2015 to use Preact... but give it a try!
The easiest way to get started with Preact is to install Preact CLI. This simple command-line tool wraps up the best possible Webpack and Babel setup for you, and even keeps you up-to-date as the underlying tools change. Best of all, it's easy to understand! It builds your app in a single command (preact build
), doesn't need any configuration, and bakes in best-practises 🙌.
The following guide assumes you have some sort of ES2015 build set up using babel and/or webpack/browserify/gulp/grunt/etc.
You can also start with preact-boilerplate or a CodePen Template.
The preact
module provides both named and default exports, so you can either import everything under a namespace of your choosing, or just what you need as locals:
import { h, render, Component } from 'preact';
// Tell Babel to transform JSX into h() calls:
/** @jsx h */
import preact from 'preact';
// Tell Babel to transform JSX into preact.h() calls:
/** @jsx preact.h */
Named imports work well for highly structured applications, whereas the default import is quick and never needs to be updated when using different parts of the library.
Instead of declaring the
@jsx
pragma in your code, it's best to configure it globally in a.babelrc
:For Babel 5 and prior:
{ "jsxPragma": "h" }
For Babel 6:
{ "plugins": [ ["transform-react-jsx", { "pragma":"h" }] ] }
Out of the box, Preact provides an h()
function that turns your JSX into Virtual DOM elements (here's how). It also provides a render()
function that creates a DOM tree from that Virtual DOM.
To render some JSX, just import those two functions and use them like so:
import { h, render } from 'preact';
render((
<div id="foo">
<span>Hello, world!</span>
<button onClick={ e => alert("hi!") }>Click Me</button>
</div>
), document.body);
This should seem pretty straightforward if you've used hyperscript or one of its many friends. If you're not, the short of it is that the h function import gets used in the final, transpiled code as a drop in replacement for React.createElement, and so needs to be imported even if you don't explicitly use it in the code you write. Also note that if you're the kind of person who likes writing your React code in "pure JavaScript" (you know who you are) you will need to use h(...) wherever you would otherwise use React.createElement.
Rendering hyperscript with a virtual DOM is pointless, though. We want to render components and have them updated when data changes - that's where the power of virtual DOM diffing shines. :star2:
Preact exports a generic Component
class, which can be extended to build encapsulated, self-updating pieces of a User Interface. Components support all of the standard React lifecycle methods, like shouldComponentUpdate()
and componentWillReceiveProps()
. Providing specific implementations of these methods is the preferred mechanism for controlling when and how components update.
Components also have a render()
method, but unlike React this method is passed (props, state)
as arguments. This provides an ergonomic means to destructure props
and state
into local variables to be referenced from JSX.
Let's take a look at a very simple Clock
component, which shows the current time.
import { h, render, Component } from 'preact';
class Clock extends Component {
render() {
let time = new Date().toLocaleTimeString();
return <span>{ time }</span>;
}
}
// render an instance of Clock into <body>:
render(<Clock />, document.body);
That's great. Running this produces the following HTML DOM structure:
<span>10:28:57 PM</span>
In order to have the clock's time update every second, we need to know when <Clock>
gets mounted to the DOM. If you've used HTML5 Custom Elements, this is similar to the attachedCallback
and detachedCallback
lifecycle methods. Preact invokes the following lifecycle methods if they are defined for a Component:
Lifecycle method | When it gets called |
---|---|
componentWillMount | before the component gets mounted to the DOM |
componentDidMount | after the component gets mounted to the DOM |
componentWillUnmount | prior to removal from the DOM |
componentWillReceiveProps | before new props get accepted |
shouldComponentUpdate | before render() . Return false to skip render |
componentWillUpdate | before render() |
componentDidUpdate | after render() |
So, we want to have a 1-second timer start once the Component gets added to the DOM, and stop if it is removed. We'll create the timer and store a reference to it in componentDidMount
, and stop the timer in componentWillUnmount
. On each timer tick, we'll update the component's state
object with a new time value. Doing this will automatically re-render the component.
import { h, render, Component } from 'preact';
class Clock extends Component {
constructor() {
super();
// set initial time:
this.state = {
time: Date.now()
};
}
componentDidMount() {
// update time every second
this.timer = setInterval(() => {
this.setState({ time: Date.now() });
}, 1000);
}
componentWillUnmount() {
// stop when not renderable
clearInterval(this.timer);
}
render(props, state) {
let time = new Date(state.time).toLocaleTimeString();
return <span>{ time }</span>;
}
}
// render an instance of Clock into <body>:
render(<Clock />, document.body);
Now we have a ticking clock!
The concept (and nomenclature) for props
and state
is the same as in React. props
are passed to a component by defining attributes in JSX, state
is internal state. Changing either triggers a re-render, though by default Preact re-renders Components asynchronously for state
changes and synchronously for props
changes. You can tell Preact to render prop
changes asynchronously by setting options.syncComponentUpdates
to false
.
One area Preact takes a little further than React is in optimizing state changes. A common pattern in ES2015 React code is to use Arrow functions within a render()
method in order to update state in response to events. Creating functions enclosed in a scope on every render is inefficient and forces the garbage collector to do more work than is necessary.
One solution to this is to bind component methods declaratively. Here is an example using decko:
class Foo extends Component {
@bind
updateText(e) {
this.setState({ text: e.target.value });
}
render({ }, { text }) {
return <input value={text} onInput={this.updateText} />;
}
}
While this achieves much better runtime performance, it's still a lot of unnecessary code to wire up state to UI.
Fortunately there is a solution, in the form of a module called linkstate. Calling linkState(component, 'text')
returns a function that accepts an Event and uses it's associated value to update the given property in your component's state. Calls to linkState()
with the same arguments are cached, so there is no performance penalty. Here is the previous example rewritten using Linked State:
import linkState from 'linkstate';
class Foo extends Component {
render({ }, { text }) {
return <input value={text} onInput={linkState(this, 'text')} />;
}
}
Simple and effective. It handles linking state from any input type, or an optional second parameter can be used to explicitly provide a keypath to the new state value.
Note: In Preact 7 and prior,
linkState()
was built right into Component. In 8.0, it was moved to a separate module. You can restore the 7.x behavior by using linkstate as a polyfill - see the linkstate docs.
Here is a somewhat verbose Preact <Link>
component:
class Link extends Component {
render(props, state) {
return <a href={props.href}>{props.children}</a>;
}
}
Since this is ES6/ES2015, we can further simplify:
class Link extends Component {
render({ href, children }) {
return <a {...{ href, children }} />;
}
}
// or, for wide-open props support:
class Link extends Component {
render(props) {
return <a {...props} />;
}
}
// or, as a stateless functional component:
const Link = ({ children, ...props }) => (
<a {...props}>{ children }</a>
);
It is likely that some projects based on Preact would wish to extend Component with great new functionality.
Perhaps automatic connection to stores for a Flux-like architecture, or mixed-in context bindings to make it feel more like React.createClass()
. Just use ES2015 inheritance:
class BoundComponent extends Component {
constructor(props) {
super(props);
this.bind();
}
bind() {
this.binds = {};
for (let i in this) {
this.binds[i] = this[i].bind(this);
}
}
}
// example usage
class Link extends BoundComponent {
click() {
open(this.href);
}
render() {
let { click } = this.binds;
return <span onclick={ click }>{ children }</span>;
}
}
The possibilities are pretty endless here. You could even add support for rudimentary mixins:
class MixedComponent extends Component {
constructor() {
super();
(this.mixins || []).forEach( m => Object.assign(this, m) );
}
}
You can inspect and modify the state of your Preact UI components at runtime using the React Developer Tools browser extension.
import { h, Component, render } from 'preact';
// Enable devtools. You can reduce the size of your app by only including this
// module in development builds. eg. In Webpack, wrap this with an `if (module.hot) {...}`
// check.
require('preact/devtools');
Support us with a monthly donation and help us continue our activities. [Become a backer]
Become a sponsor and get your logo on our README on Github with a link to your site. [Become a sponsor]
MIT
FAQs
Fast 3kb React alternative with the same ES6 API. Components & Virtual DOM.
We found that kb-preact demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 3 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
Security News
MITRE's 2024 CWE Top 25 highlights critical software vulnerabilities like XSS, SQL Injection, and CSRF, reflecting shifts due to a refined ranking methodology.
Security News
In this segment of the Risky Business podcast, Feross Aboukhadijeh and Patrick Gray discuss the challenges of tracking malware discovered in open source softare.