Research
Security News
Malicious npm Packages Inject SSH Backdoors via Typosquatted Libraries
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
Lasso.js is a build tool and runtime library for building and bundling all of the resources needed by a web application
Lasso.js is an eBay open source Node.js-style JavaScript module bundler that also provides first-level support for optimally delivering JavaScript, CSS, images and other assets to the browser.
This tool offers many different optimizations such as a bundling, code splitting, lazy loading, conditional dependencies, compression and fingerprinted resource URLs. Plugins are provided to support pre-processors and compilers such as Less, Stylus and Marko. This developer-friendly tool does not require that you change the way that you already code and can easily be adopted by existing applications.
Install the command line interface for Lasso.js:
npm install lasso-cli --global
Install a helper module from npm:
npm install change-case
Create the main Node.js JavaScript module file:
main.js:
var changeCase = require('change-case');
console.log(changeCase.titleCase('hello world')); // Output: 'Hello World'
Create a StyleSheet for the page:
style.css
body {
background-color: #5B83AD;
}
Create an HTML page to host the application:
my-page.html:
<!doctype html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>Lasso.js Demo</title>
</head>
<body>
<h1>Lasso.js Demo</h1>
</body>
</html>
Run the following command:
lasso style.css \
--main main.js \
--inject-into my-page.html
Output:
Output for page "my-page":
Resource bundle files:
static/my-page-9ac9985e.js
static/my-page-1ae3e9bf.css
HTML slots file:
build/my-page.html.json
Updated HTML file:
my-page.html
Open up my-page.html
in your web browser and in the JavaScript console you will see the output of our program running in the browser, as well as a page styled by style.css
.
As you can see, with Lasso.js you no longer have to struggle with managing complex build scripts. Simply let Lasso.js worry about generating all of the required resource bundles and injecting them into your page so that you can just focus on writing clean and modular code.
There's also a JavaScript API, taglib and a collection of plugins to make your job as a front-end web developer easier. Please read on to learn how you can easily utilize Lasso.js in your application.
browser.json
filesmodule.exports
, exports
, require
, require.resolve
, __dirname
, __filename
, process
, etc.browser
fieldBrowserify is an excellent JavaScript module bundler. We are huge supporters of writing Node.js-style modules (i.e. CommonJS), and we also believe npm is an excellent package manager. If you are not using a JavaScript module bundler then you are absolutely missing out. Modularity is equally important for client-side code as it is for server-side code, and a JavaScript module bundler should be part of every front-end developer's toolbox.
So why did we create Lasso.js if Browserify is such a great tool? We created Lasso.js because we wanted a top-notch JavaScript module bundler that also provides first-level support for transporting CSS, "plain" JavaScript, images, fonts and other front-end assets to the browser in the most optimal way. In addition, we want to enable developers to easily create web applications that follow widely accepted rules for creating faster-loading websites (such as putting StyleSheets at the top, and JavaScript at the bottom). We also want to allow for developers to easily load additional JavaScript and StyleSheets after the initial page load.
While high performance is very important for production systems, we want to also provide a more developer-friendly experience by offering fast, incremental builds, simplifying development and by producing debuggable output code. And, of course, we do not want developers to have to learn how to code their applications in a new way so Lasso.js was built to not change how you already code. You'll even find support for Browserify shims and transforms. Therefore, if you try out Lasso.js and it is not the tool for you, then feel free to switch back to something else (it'll of course be ready if your application's requirements change in the future). eBay and other large companies rely on Lasso.js for delivering high performance websites and are committed to its success. If you try it out and find gaps, please let us know!
The following command should be used to install the lasso
module into your project:
npm install lasso --save
If you would like to use the available command line interface, then you should install the lasso-cli module globally using the following command:
npm install lasso-cli --global
Sample App: To try out and experiment with the code, please see the following project:
lasso-js-samples/lasso-cli
Install the command line interface for Lasso.js:
npm install lasso-cli --global
In an empty directory, initialize a new Node.js project using the following command:
mkdir my-app
cd my-app
npm init
Install required modules into the new project:
npm install jquery
npm install lasso-less
Create the following files:
add.js:
module.exports = function(a, b) {
return a + b;
};
main.js:
var add = require('./add');
var jquery = require('jquery');
jquery(function() {
$(document.body).append('2+2=' + add(2, 2));
});
style.less:
@headerColor: #5B83AD;
h1 {
color: @headerColor;
}
my-page.html:
<!doctype html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>Lasso.js Demo</title>
</head>
<body>
<h1>Lasso.js Demo</h1>
</body>
</html>
Finally, run the following command to generate the resource bundles for the page and to also inject the required <script>
and <link>
tags into the HTML page:
lasso style.less \
--main main.js \
--inject-into my-page.html \
--plugins lasso-less \
--development
If everything worked correctly then you should see output similar to the following:
Output for page "my-page":
Resource bundle files:
static/add.js
static/raptor-modules-meta.js
static/main.js
static/node_modules/jquery/dist/jquery.js
static/raptor-modules-1.0.1/client/lib/raptor-modules-client.js
static/style.less.css
HTML slots file:
build/my-page.html.json
Updated HTML file:
my-page.html
The updated my-page.html
file should be similar to the following:
<!doctype html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>Lasso.js Demo</title>
<!-- <lasso-head> -->
<link rel="stylesheet" href="static/style.less.css">
<!-- </lasso-head> -->
</head>
<body>
<h1>Lasso.js Demo</h1>
<!-- <lasso-body> -->
<script src="static/raptor-modules-1.0.1/client/lib/raptor-modules-client.js"></script>
<script src="static/add.js"></script>
<script src="static/raptor-modules-meta.js"></script>
<script src="static/node_modules/jquery/dist/jquery.js"></script>
<script src="static/main.js"></script>
<script>$_mod.ready();</script>
<!-- </lasso-body> -->
</body>
</html>
If you open up my-page.html
in your web browser you should see a page styled with Less and the output of running main.js
.
Now try again with production
mode:
lasso style.less \
--main main.js \
--inject-into my-page.html \
--plugins lasso-less \
--production
Output for page "my-page":
Resource bundle files:
static/my-page-2e3e9936.js
static/my-page-169ab5d9.css
HTML slots file:
build/my-page.html.json
Updated HTML file:
my-page.html
The updated my-page.html
file should be similar to the following:
<!doctype html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>Lasso.js Demo</title>
<!-- <lasso-head> -->
<link rel="stylesheet" href="static/my-page-169ab5d9.css">
<!-- </lasso-head> -->
</head>
<body>
<h1>Lasso.js Demo</h1>
<!-- <lasso-body> -->
<script src="static/my-page-2e3e9936.js"></script>
<script>$_mod.ready();</script>
<!-- </lasso-body> -->
</body>
</html>
With the --production
option enabled, all of the resources are concatenated together, minified and fingerprinted – perfect for high performance web applications running in production.
For more documentation on the Command Line Interface please see the lasso-cli docs.
Sample App To try out and experiment with the code, please see the following project:
lasso-js-samples/lasso-config
The number of command line arguments can get unwieldy so it is better to split out configuration into a separate JSON file. Let's now create a configuration file and configure a few bundles to make things more interesting:
lasso-config.json:
{
"plugins": [
"lasso-less"
],
"outputDir": "static",
"fingerprintsEnabled": true,
"minify": true,
"resolveCssUrls": true,
"bundlingEnabled": true,
"bundles": [
{
"name": "jquery",
"dependencies": [
"require: jquery"
]
},
{
"name": "math",
"dependencies": [
"require: ./add"
]
}
]
}
In addition, let's put our page dependencies in their own JSON file:
my-page.browser.json:
{
"dependencies": [
"./style.less",
"require-run: ./main"
]
}
Now run the page lasso using the newly created JSON config file and JSON dependencies file:
lasso ./my-page.browser.json \
--inject-into my-page.html \
--config lasso-config.json
Because of the newly configured bundles, we'll see additional JavaScript bundles written to disk as shown below:
Output for page "my-page":
Resource bundle files:
static/math-169c956d.js
static/jquery-24db89d9.js
static/my-page-beed0921.js
static/my-page-169ab5d9.css
HTML slots file:
build/my-page.html.json
Updated HTML file:
my-page.html
Lasso.js walks a dependency graph to find all of the resources that need to be bundled. A dependency can either be a JavaScript or CSS resource (or a file that compiles to either JavaScript or CSS) or a dependency can be a reference to a set of transitive dependencies. Some dependencies are inferred from scanning source code and other dependencies can be made explicit by listing them out in the code of JavaScript modules or in separate browser.json
files.
It's also possible to register your own custom dependency types. With custom dependency types, you can control how resources are compiled or a custom dependency type can be used to resolve additional dependencies during optimization.
Browser dependencies can be described as shown in the following sample browser.json
file:
{
"dependencies": [
"./style.less",
"../third-party/jquery.js",
"**/*.css",
{
"type": "js",
"url": "https://code.jquery.com/jquery-2.1.4.min.js"
},
{
"type": "css",
"url": "https://maxcdn.bootstrapcdn.com/bootstrap/3.3.5/css/bootstrap.min.css"
}
]
}
Alternatively, dependencies can be "required" inside a JavaScript module as shown in the following sample JavaScript code:
require('./style.less');
// ...
The only caveat to using a require()
call to add a non-JavaScript module dependency is that by default Node.js will try to load the required file as a JavaScript module if the code runs on the server. To prevent Node.js from trying to load a Less file or other non-JavaScript files as JavaScript modules you can add the following code to your main script:
require('lasso/node-require-no-op').enable('.less', '.css');
For simple paths, the dependency type is inferred from the filename extension. Alternatively, the dependency type can be made explicit using either one of the following formats:
[
"./style.less",
"less: ./style.less",
{ "type": "less", "path": "./style.less" }
]
NOTE: all of the above are equivalent
You can also create a dependency that references dependencies in a separate browser.json
file. Dependencies that have the browser.json
extension are automatically resolved using the require resolver if they are not relative paths. For example:
[
// Relative path:
"./some-module/browser.json",
// Look for "my-module/browser.json" in "node_modules":
"my-module/browser.json"
]
If the path does not have a file extension then it is assumed to be a path to an browser.json
file so the following short-hand works as well:
[
"./some-module"
"my-module"
]
If you use the short-hand notation for browser.json
dependencies, the paths will still be resolved using the require resolver as long as they are not relative paths.
Lasso.js does allow referencing external JS/CSS files in your browser.json
files as shown below:
{
"dependencies": [
{
"type": "js",
"url": "https://code.jquery.com/jquery-2.1.4.min.js"
},
{
"type": "css",
"url": "https://maxcdn.bootstrapcdn.com/bootstrap/3.3.5/css/bootstrap.min.css"
}
]
}
By default, Lasso.js will not bundle external resources with your application's JavaScript and CSS bundles. If you would prefer for an external resource to be downloaded from the remote server and bundled with your other application code during the lassoing then you can set the external
property to false
as shown below (external
defaults to true
):
{
"dependencies": [
{
"type": "js",
"url": "https://code.jquery.com/jquery-2.1.4.min.js",
"external": false
}
]
}
Setting external
to false
in the above example will result in jQuery being downloaded from the CDN and bundled with all of the other JS code for the app. That is, the code for jQuery will not be served up by the jQuery CDN.
Adding an attributes
object to a dependency definition will result in those attributes being defined on the html tag for that dependency. For bundled dependencies, these attributes will be merged with latter dependencies taking priority.
The following is an example using the integrity
and crossorigin
attributes for Subresource Integrity (SRI) checking. This allows browsers to ensure that resources hosted on third-party servers have not been tampered with. Use of SRI is recommended as a best-practice, whenever libraries are loaded from a third-party source.
{
"dependencies": [{
"type": "js",
"url": "https://code.jquery.com/jquery-3.1.1.min.js",
"attributes":{
"integrity":"sha256-hVVnYaiADRTO2PzUGmuLJr8BLUSjGIZsDYGmIJLv2b8=",
"crossorigin":"anonymous"
}
}]
}
Generated Output:
<script
src="https://code.jquery.com/jquery-3.1.1.min.js"
integrity="sha256-hVVnYaiADRTO2PzUGmuLJr8BLUSjGIZsDYGmIJLv2b8="
crossorigin="anonymous"></script>
Lasso.js supports conditional dependencies. Conditional dependencies is a powerful feature that allows for a page to be built differently based on certain flags (e.g. "mobile device" versus "desktop"). For caching reasons, the flags for conditional dependencies should be based on a set of enabled flag. A flag is just an arbitrary name that can be enabled/disabled before optimizing a page. For example, to make a dependency conditional such that is only included for mobile devices you can do the following:
{
"dependencies": [
{ "path": "./hello-mobile.js", "if-flag": "mobile" }
]
}
Alternatively, you can also include the desktop version of a file if the "mobile" extension is not enabled using if-not-flag
.
{
"dependencies": [
{ "path": "./hello-desktop.js", "if-not-flag": "mobile" }
]
}
If needed, a JavaScript expression can be used to describe a more complex condition as shown in the following sample code:
{
"dependencies": [
{
"path": "./hello-mobile.js",
"if": "flags.contains('phone') || flags.contains('tablet')"
}
]
}
Finally, if you prefer, you can group your conditional dependencies if needed:
{
"dependencies": [
{
"if-flag": "mobile",
"dependencies": [
"./style-mobile.css",
"./client-mobile.js"
]
}
]
}
The code below shows how to enable flags when optimizing a page:
Using the JavaScript API:
myLasso.lassoPage({
dependencies: [
{ path: './hello-mobile.js', 'if-flag': 'mobile' }
],
flags: ['mobile', 'foo', 'bar']
})
Using the Marko taglib:
<lasso-page ... flags=['mobile', 'foo', 'bar']>
...
</lasso-page>
Sample AppTo try out and experiment with the code, please see the following project:
lasso-js-samples/lasso-async
Lasso.js supports asynchronously loading dependencies using the lightweight lasso-loader module as shown in the following sample code:
var lassoLoader = require('lasso-loader');
lassoLoader.async(function(err) {
// Any modules that are required within the scope
// of this function will be loaded asynchronously*.
// Lasso.js ensures that modules are only
// loaded once from the server.
//
// *Modules that were included as part of the initial
// page load will automatically be de-duped.
if (err) {
// Handle the case where one or more of the
// dependencies failed to load.
}
var add = require('./add');
var jquery = require('jquery');
jquery(function() {
$(document.body).append('2+2=' + add(2, 2));
});
});
During optimization, Lasso.js detects the call to require('lasso-loader').async(...)
and transforms the code such that the function is not invoked until all of the required modules referenced in the body of callback function are completely loaded.
You can also specify additional explicit dependencies if necessary:
require('lasso-loader').async(
[
'./style.less',
'some/other/browser.json'
],
function() {
// All of the requires nested in this function block will be lazily loaded.
// When all of the required resources are loaded then the function will be invoked.
var foo = require('foo');
var bar = require('bar');
});
You can also choose to declare async dependencies in an browser.json
file:
{
"dependencies": [
...
],
"async": {
"my-module/lazy": [
"require: foo",
"require: bar",
"./style.less",
"some/other/browser.json"
]
}
}
The async dependencies can then be referenced in code:
require('lasso-loader').async(
'my-module/lazy',
function() {
var foo = require('foo');
var bar = require('bar');
});
Sample App To try out and experiment with the code, please see the following project:
lasso-js-samples/lasso-js-api
For added flexibility there is a JavaScript API that can be used to lasso pages as shown in the following sample code:
var lasso = require('lasso');
lasso.configure('lasso-config.json');
lasso.lassoPage({
name: 'my-page',
dependencies: [
"./style.less",
"require-run: ./main"
]
},
function(err, lassoPageResult) {
if (err) {
// Handle the error
}
var headHtml = lassoPageResult.getHeadHtml();
// headHtml will contain something similar to the following:
// <link rel="stylesheet" href="static/my-page-169ab5d9.css">
var bodyHtml = lassoPageResult.getBodyHtml();
// bodyHtml will contain something similar to the following:
// <script src="static/my-page-2e3e9936.js"></script>
});
The lassoPage(options)
method supports the following options:
data
(Object
) - Arbitrary data that can be made available to plugins via lassoContext.data
.cacheKey
(String
) - A unique String to use for cache reads and writes. Defaults to name
.dependencies
(Array
) - An array of top-level page dependencies (e.g. ['foo.js', 'foo.css', 'require: jquery']
).flags
(Array
) - The set of enabled flags (e.g. ['mobile', 'touch']
).from
(String
) - The base path for resolving relative paths for top-level dependencies.name
(String
) - The page name. Used for determining the names of the output JS/CSS bundles.packagePath
(String
) - The path to an browser.json
file that describes the top-level dependencies.var lasso = require('lasso');
lasso.configure(config);
If the value of the config
argument is a String
then it is treated as a path to a JSON configuration file.
The following code illustrates how to lasso a simple set of JavaScript and CSS dependencies using the default configured lasso:
var lasso = require('lasso');
lasso.lassoPage({
name: 'my-page',
dependencies: [
'./foo.js',
'./bar.js',
'./baz.js',
'./qux.css'
]
},
function(err, lassoPageResult) {
if (err) {
console.log('Failed to lasso page: ', err);
return;
}
var headHtml = lassoPageResult.getHeadHtml();
/*
String with a value similar to the following:
<link rel="stylesheet" href="/static/my-page-85e3288e.css">
*/
var bodyHtml = lassoPageResult.getBodyHtml();
/*
String with a value similar to the following:
<script src="/static/bundle1-6df28666.js"></script>
<script src="/static/bundle2-132d1091.js"></script>
<script src="/static/my-page-1de22b65.js"></script>
*/
// Inject the generated HTML into the <head> and <body> sections of a page...
});
var myLasso = lasso.create(config);
myLasso.lassoPage(...);
Sample App To try out and experiment with the code, please see the following project:
lasso-js-samples/lasso-taglib
For the ultimate in usability, a taglib is provided for Marko (and Dust) to automatically lasso a page and inject the required HTML markup to include the JavaScript and CSS bundles.
If you are using Marko you can utilize the available taglib for Lasso.js to easily lasso page dependencies and embed them into your page.
npm install lasso --save
npm install marko --save
You can now add the lasso tags to your page templates. For example:
<lasso-page package-path="./browser.json"/>
<!doctype html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>Test Page</title>
<lasso-head/>
</head>
<body>
<h1>Test Page</h1>
<lasso-body/>
</body>
</html>
You will then need to create an browser.json
in the same directory as your page template. For example:
browser.json:
{
"dependencies": [
"./jquery.js",
"./foo.js",
"./bar.js",
"./style.less"
]
}
Using Marko and Lasso.js taglib, you can simply render the page using code similar to the following:
var template = require('marko').load('my-page.marko');
template.render({}, function(err, html) {
// html will include all of the required <link> and <script> tags
});
The output of the page rendering will be similar to the following:
<!doctype html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>Test Page</title>
<link rel="stylesheet" href="/static/my-page-85e3288e.css">
</head>
<body>
<h1>Test Page</h1>
<script src="/static/bundle1-6df28666.js"></script>
<script src="/static/bundle2-132d1091.js"></script>
<script src="/static/my-page-1de22b65.js"></script>
</body>
</html>
The lasso result is cached so you can skip the build step!
You can also configure the default page lasso used by the lasso tags:
require('lasso').configure({...});
For more details, please see following documentation: Lasso.js Taglib for Marko
<lasso-img>
The <lasso-img>
tag can be used to render <img>
tags while also having the image referenced by the src
attribute automatically go through the Lasso.js asset pipeline. In addition, if the width
and height
attributes are not specified then those attributes will automatically be added. This tag can be rendered on both the server and in the browser.
Example:
<lasso-img src="./foo.jpg"/>
This might produce the following HTML output depending on how Lasso.js is configured:
<img src="/static/foo-25b047cc.jpg" width="100" height="100">
Sample App To try out and experiment with the code, please see the following project:
lasso-js-samples/lasso-templates
To demonstrate rendering of the same template on the server and the client we will start with the following Marko template:
template.marko
-- Hello ${data.name}!
NOTE: The sample app includes sample code that illustrates how to also render both a Dust template and a Handlebars template on both the client and server.
We will then create a main.js
file to render the template to the console:
main.js:
var template = require('marko')
.load(require.resolve('./template.marko'));
template.render(
{
name: 'Frank'
},
function(err, html) {
console.log('Template output: ' + html);
});
NOTE: The reason we use require.resolve('./template.marko')
instead of require('template.marko')
is that Node.js does not understand how to load .marko
modules and the use of the require.extensions
has been deprecated. require.resolve()
is used to get the resolved path for the template and the marko module uses that path to load template into memory.
Running node main.js
on the server will produce the following output in the console:
Template output: Hello Frank!
In order to automatically detect and compile required *.marko
templates we
will need to install the lasso-marko
plugin and @lasso/marko-taglib
taglib using the following commands:
npm install lasso-marko
npm install @lasso/marko-taglib
We can then lasso the page using the following command:
lasso style.less \
--main main.js \
--inject-into my-page.html \
--plugins lasso-marko
After opening my-page.html
in your web browser you should then see the same output written to the browser's JavaScript console.
Lasso includes optional middleware for both Express and Koa that can be used to serve up the static files that it generates.
serveStatic(options)
The serveStatic
middleware provided by Lasso is a small wrapper around the send package.
Supported options:
require('lasso').getDefaultLasso()
)send
module. See send » optionsserveStatic
with Expressapp.use(require('lasso/middleware').serveStatic(options));
serveStatic
with Koaapp.use(require('lasso/middleware/koa').serveStatic(options));
Sample App To try out and experiment with the code, please see the following project:
lasso-js-samples/lasso-express
Lasso.js has a smart caching layer and is fast enough so that it can be used at runtime as part of your server application. The easiest way to use Lasso.js at runtime is to use the Marko taglib and simply render the page template to the response output stream.
The first time the page renders, the page will be lassoed and cached and the output of the lasso will be used to produce the final page HTML. After the first page rendering, the only work that will be done by Lasso.js is a simple cache lookup.
By default, Lasso.js writes all resource bundles into the static/
directory at the root of your application. In addition, by default, all resource URLs will be prefixed with /static
. If resources are to be served up by the local Express server we will need to register the appropriate middleware as shown in the following sample code:
server.js
require('marko/node-require');
require('marko/express');
var express = require('express');
var compression = require('compression');
var serveStatic = require('serve-static');
// Load the page template:
var template = require('./template.marko');
// Configure the default lasso
require('lasso').configure({
});
var app = express();
// Enable gzip compression for all HTTP responses:
app.use(compression());
// Any URL that begins with "/static" will be served up
// out of the "static/" directory:
app.use(require('lasso/middleware').serveStatic());
app.get('/', function(req, res) {
// Render the page template as normal:
res.marko(template, {
name: 'Frank'
});
});
...
app.listen(8080);
By default, all dependencies required for a page will be bundled into a single JavaScript bundle and a single CSS bundle. However, Lasso.js allows application-level bundles to be configured to allow for consistent bundles across pages and for multiple bundles to be included on a single page. Because Lasso.js also generates the HTML markup to include page bundles, the page itself does not need to be changed if the bundle configuration is changed.
If a page has a dependency that is part of an application-level bundle then the dependency will be included as part of the application-level bundle instead of being aggregated with the page-level bundle.
Bundles can be configured using the "bundles"
configuration property that accepts an array of bundle configurations. Each bundle should consist of a name and a set of dependencies to assign to that bundle.
Bundling Example:
Given the following configured bundles:
{
...
"bundles": [
{
"name": "bundle1",
"dependencies": [
"./foo.js",
"./baz.js"
]
},
{
"name": "bundle2",
"dependencies": [
"./bar.js"
]
}
]
}
Optimizing a page that does not include any dependencies in application-level bundles:
lasso app.js style.css --name my-page -c lasso-config.json
Output:
Output for page "my-page":
Resource bundle files:
static/my-page.js
static/my-page.css
HTML slots file:
build/my-page.html.json
Optimizing a page that includes "foo.js" that is part of "bundle1":
lasso app.js foo.js style.css --name my-page -c lasso-config.json
Output:
Output for page "my-page":
Resource bundle files:
static/my-page.js
static/bundle1.js
static/my-page.css
HTML slots file:
build/my-page.html.json
For more information on working with bundles. Please see the bundling docs.
Sample App To try out and experiment with the code, please see the following project:
lasso-js-samples/lasso-code-splitting
Lasso.js supports splitting out code that multiple pages/entry points have in common into separate bundles. This is accomplished by assigning an intersection
dependency to a bundle. The intersection
dependency is a package dependency that produces a set of dependencies that is the intersection of one or more packages. Code splitting ensures that the same code is not downloaded twice by the user when navigating a web application.
The following bundle configuration illustrates how to split out common code into a separate bundle:
{
"bundles": [
{
"name": "common",
"dependencies": [
{
"intersection": [
"./src/pages/home/browser.json",
"./src/pages/profile/browser.json"
]
}
]
}
]
}
A less strict intersection condition is also supported via a threshold
property.
For example, to find those dependencies that are among at least two of the widgets:
{
"bundles": [
{
"name": "common",
"dependencies": [
{
"threshold": 2,
"intersection": [
"require: ./a/widget",
"require: ./b/widget",
"require: ./c/widget"
]
}
]
}
]
}
This could also be expressed as a percentage:
{
"bundles": [
{
"name": "common",
"dependencies": [
{
"threshold": "66%",
"intersection": [
"require: ./a/widget",
"require: ./b/widget",
"require: ./c/widget"
]
}
]
}
]
}
{
// Write all bundles into the "static" directory
"outputDir": "static",
// URL prefix for all bundles
"urlPrefix": "/static",
// Include fingerprint in output files
"fingerprintsEnabled": true
}
{
// Configure Lasso.js plugins
"plugins": [
// Plugin with a default config:
"lasso-less",
// Plugin with custom configuration:
{
"plugin": "lasso-my-plugin",
"config": { ... }
},
...
],
// The base output directory for generated bundles
"outputDir": "static",
// Optional URL prefix to prepend to relative bundle paths
"urlPrefix": "http://mycdn/static",
// If fingerprints are enabled then a shasum will be included in the URL.
// This feature is used for cache busting.
"fingerprintsEnabled": true,
// If fingerprints are not enabled then the same output file would be
// used for bundles that go into the head and bundles that go in the
// body. Enabling this option will ensure that bundles have unique names
// even if fingerprints are disabled.
"includeSlotNames": false
// If "minify" is set to true then output CSS and JavaScript will run
// through a minification transform. (defaults to false)
"minify": false,
"minifyJS": false, // Minify JavaScript
"minifyCSS": false, // Minify CSS
"minifyInlineOnly": false, // Only minify inline resources
"minifyInlineJSOnly": false, // Only minify inline JavaScript resources
"minifyInlineCSSOnly": false, // Only minify inline CSS resources
// If "resolveCssUrls" is set to true then URLs found in CSS files will be
// resolved and the original URLs will be replaced with the resolved URLs.
// (defaults to true)
"resolveCssUrls": true,
// If "relativeUrlsEnabled" is set to false then URLs found in CSS files will
// be absolute based on the urlPrefix. This default is false, which creates
// relative URLs in CSS files.
"relativeUrlsEnabled": true,
// If "bundlingEnabled" is set to true then dependencies will be concatenated
// together into one or more bundles. If set to false then each dependency
// will be written to a separate file. (defaults to true)
"bundlingEnabled": true,
// If you want consistent bundles across pages then those shared bundles
// can be specified below. If a page dependency is part of a shared
// bundle then the shared bundle will be added to the page (instead of
// adding the dependency to the page bundle).
"bundles": [
{
// Name of the bundle (used for determining the output filename)
"name": "bundle1",
// Set of dependencies to add to the bundle
"dependencies": [
"./foo.js",
"./baz.js"
]
},
{
"name": "bundle2",
"dependencies": [
"./style/*.css",
"require: **/*.js"
]
}
],
// The default name of the modules runtime variable is
// ""$_mod" but you can change that with the noConflict option.
// This is necessary if you have a webpage that loads
// multiple JavaScript bundles that were
// built at different times with Lasso.
// The string you provide will be used to create
// a unique name for the modules runtime variable name by
// removing or replacing illegal characters.
"noConflict": "myapp"
}
Lasso.js provides full support for transporting Node.js modules to the browser. If you write your modules in the standard Node.js way (i.e. using require
, module.exports
and exports
) then the module will be able to be loaded on both the server and in the browser.
This functionality is offered by the core lasso-require plugin which introduces a new require
dependency type. For example:
[
"require: ./path-to-some-module"
]
If you want to include a module and have it run when loaded (i.e. self-executing) then you should use the require-run
dependency type:
[
"require-run: ./main"
]
Examples of conditional requires:
[
{
"require-run": "./foo",
"if-flag": "bar"
},
{
"require": "./foo",
"if-flag": "bar"
}
]
It's also possible to remap a require based on a flag:
{
"dependencies": [
...
],
"requireRemap": [
{
"from": "./foo.js",
"to": "./foo-mobile.js",
"if-flag": "mobile"
}
]
}
The lasso-require plugin will automatically scan the source to find all require(path)
calls to determine which additional modules need to be included in the output bundles (done recursively). For a require
to automatically be detected it must be in the form require("<module-name>")
or require.resolve("<module-name>")
.
The lasso-require plugin will automatically wrap all Node.js modules so that the psuedo globals (i.e. require
, module
, exports
, __filename
and __dirname
) are made available to the module source code.
The lasso-require
plugin also supports browserify shims and browserify transforms.
For more details on how the Node.js modules are supported on the browser, please see the documentation for the lasso-js-samples/lasso-require plugin.
The lasso-babel-transform module provides support for transpiling JavaScript/JSX code using babel. Please see the lasso-babel-transform docs for information on how to use that transform.
If you're using CommonJS modules in your project then this will cause the
CommonJS runtime to be included in your build. The CommonJS runtime utilizes
a global variable ($_mod
by default). If your build output files need to
co-exist with other JavaScript files that were built by Lasso separately
then you need to make sure that your build produces a CommonJS runtime
that is isolated from other builds. That is, you should not use the default
$_mod
global.
To enable no-conflict build, you need to configure Lasso to use a unique
CommonJS runtime global name. This can be done by setting the noConflict
configuration property to string that is unique to your application or project.
If you're using the JavaScript API then this is possible via:
// To configure the default Lasso for no-conflict builds:
require('lasso').configure({
...
noConflict: 'myapp'
});
// To create a new Lasso for no-conflict builds
require('lasso').create({
...
noConflict: 'myapp'
});
See Configuration for full list of configuration options.
It is also possible to add custom attributes to script and style tags for both inline and external resources. It is done using the attributes inline-script-attrs
, inline-style-attrs
, external-style-attrs
and external-script-attrs
as shown below.
page.marko
<lasso-page name="page" package-path="./browser.json"/>
<html>
<head>
<lasso-head external-style-attrs={'css-custom1': true}/>
<lasso-slot name="ext-css-slot" external-style-attrs={'css-custom2': true}/>
<lasso-slot name="css-slot" inline-style-attrs={'css-custom3': true}/>
</head>
<body>
<lasso-body external-script-attrs={'js-custom1': true}/>
<lasso-slot name="ext-js-slot" external-script-attrs={'js-custom2': true}/>
<lasso-slot name="js-slot" inline-script-attrs={'js-custom3': true}/>
</body>
</html>
browser.json
{
"dependencies": [
{ "path": "style-ext.css", "slot": "ext-css-slot" },
{ "path": "test-ext.js", "slot": "ext-js-slot" },
"style.css",
"test.js",
{ "path": "style-inline.css", "inline": true, "slot": "css-slot" },
{ "path": "test-inline.js", "inline": true, "slot": "js-slot" }
]
}
Output HTML
<html>
<head>
<link rel="stylesheet" href="/static/page-1ae3e9bf.css" css-custom1>
<link rel="stylesheet" href="/static/page-244694d6.css" css-custom2>
<style css-custom3>
body .inline {
background-color: red;
}
</style>
</head>
<body>
<script src="/static/page-ce0ad224.js" js-custom1></script>
<script src="/static/page-c3a331b0.js" js-custom2></script>
<script js-custom3>
console.log('hello-inline');
</script>
</body>
</html>
If you add async
or defer
to a slot for external script attrs and Lasso encounters an inline script in that slot, it will wrap the code in a listener for DOMContentLoaded
(for defer) or load
(for async) to ensure that the script does not execute until the rest of the deferred scripts in that slot are loaded.
page.marko
<lasso-page name="page" package-path="./browser.json"/>
<html>
<body>
<lasso-body external-script-attrs={defer: true}/>
</body>
</html>
browser.json
{
"dependencies": [
"test.js",
{ "path": "test-inline.js", "inline": true }
]
}
Output HTML
<html>
<body>
<script src="/static/page-ce0ad224.js" defer></script>
<script>
(function() { var run = function() { console.log('hello-inline'); }; if (document.readyState === "loading") { document.addEventListener("DOMContentLoaded", run); } else { run(); } })();
</script>
</body>
</html>
Newer browsers support a web standard called Content Security Policy that
prevents, among other things, cross-site scripting attacks by whitelisting
inline <script>
and <style>
tags (see
HTML5 Rocks: An Introduction to Content Security Policy).
The Lasso.js taglib for Marko is used to inject the <script>
and <style>
tags into the HTML output and Lasso.js provides support for injecting a nonce
attribute. When Lasso.js is configured you just need to register a
cspNonceProvider
as shown below:
require('lasso').configure({
cspNonceProvider: function(out) {
// Logic for determining the nonce will vary, but the following is one option:
var res = out.stream;
var nonce = res.csp && res.csp.nonce;
// NOTE:
// The code above assumes that there is some middleware that
// stores the nonce into a [non-standard] `res.csp.nonce` variable.
// Use whatever is appropriate for your app.
return nonce; // A string value
}
});
A Lasso.js plugin can also be used to register the CSP nonce provider as shown below:
module.exports = function(lasso, pluginConfig) {
lasso.setCSPNonceProvider(function(out) {
return 'abc123';
})
};
Registering a cspNonceProvider
will result in a nonce
attribute being added to all inline <script>
and <style>
tags rendered in either the head
slot (<lasso-head/>
) or the body
slot (<lasso-body/>
).
With a CSP nonce enable, the HTML output for a page rendered using Marko might be similar to the following:
<html>
<head>
<!-- BEGIN head slot: -->
<link rel="stylesheet" type="text/css" href="/static/page1-8b866529.css">
<style type="text/css" nonce="abc123">
body .inline {
background-color: red;
}
</style>
<!-- END head slot -->
</head>
<body>
<!-- BEGIN body slot: -->
<script type="text/javascript" src="/static/page1-1097e0f6.js"></script>
<script type="text/javascript" nonce="abc123">
console.log('hello-inline');
</script>
<!-- END body slot -->
</body>
</html>
NOTE: A nonce
attribute is only added to inline <script>
and <style>
tags.
As an extra convenience, Lasso.js also supports a custom lasso-nonce
attribute that can be dropped onto any HTML tag in your Marko template
files as shown below:
<script type="text/javascript" lasso-nonce>console.log('My inline script')</script>
<style type="text/css" lasso-nonce>.my-inline-style { }</style>
The output HTML will be similar to the following:
<script type="text/javascript" nonce="abc123">console.log('My inline script')</script>
<style type="text/css" nonce="abc123">.my-inline-style { }</style>
If your page is statically built (such as when creating a Single Page App) then you should enable inline code fingerprinting which is way to whitelist exactly which inline code blocks should be allowed. It is important to emphasize, that a nonce ("number once") will not properly secure a statically built application since the HTML is built once which prevents the nonce from changing. To secure your statically built application, you should instead fingerprint all of the inline code blocks and include these fingerprints in your CSP.
Here is an example of what CSP might look like if using SHA256 fingerprints:
script-src 'self' 'sha256-viOn97JiWZ/fvh2VGIpROjZabjdtdrgtfO1wlPz9w7w='
require('lasso').configure({
/* typical configuration goes here */
// Configure Lasso with a function that will be called for fingerprinting
// each inline code block...
fingerprintInlineCode: function(code) {
var shasum = crypto.createHash('sha256');
shasum.update(code);
return shasum.digest('base64');
}
});
// This is the full list of fingerprints that were captured
// across all page builds
var inlineCodeFingerprints = [];
// Collect all of the fingerprints as each page is built
require('lasso').getDefaultLasso().on('afterLassoPage', function(event) {
var lassoPageResult = event.result;
var fingerprints = lassoPageResult.getInlineCodeFingerprints();
fingerprints.forEach(function(fingerprint) {
inlineCodeFingerprints.push(fingerprint);
});
})
// NOW BUILD YOUR PAGES HERE
// ... build code goes here ...
// NOW BUILD YOUR CONTENT SECURITY POLICY:
var csp = inlineCodeFingerprints.map(function(fingerprint) {
return `script-src 'self' 'sha256-${fingerprint}'`
}).join('; ');
Below is a list of plugins that are currently available:
Core plugins:
Third-party plugins
inline
single file dependency assets that are not of type: require
.To use a third-party plugin, you must first install it using npm install
. For example:
npm install lasso-less --save
If you create your own plugin please send a Pull Request and it will show up above. Also, do not forget to tag your plugin with lasso-plugin
and lasso
in your package.json
so that others can browse for it using npm
Only read below if you are building plugins or transforms to further enhance the lasso
module.
A plugin can be used to change how the lasso operates. This includes the following:
console.log
from JS codeA plugin is simply a Node.js module that exports a function with the following signature:
/**
* A plugin for Lasso.js
* @param {lasso/lib/Lasso} lasso An instance of a Lasso that can be configured
* @param {Object} The plugin configuration provided by the user
*/
module.exports = function(lasso, config) {
// Register dependency types:
lasso.dependencies.registerJavaScriptType('my-js-type', require('./dependency-my-js-type'));
lasso.dependencies.registerStyleSheetType('my-css-type', require('./dependency-my-css-type'));
lasso.dependencies.registerPackageType('my-package-type', require('./dependency-my-package-type'));
// Add an output transform
lasso.addTransform(require('./my-transform'));
// Register a custom Node.js/CommonJS module compiler for a custom filename extension
// var myModule = require('./hello.test');
lasso.dependencies.registerRequireExtension('test', function(path, context, callback) {
callback(null, "exports.sayHello = function() { console.log('Hello!'); }");
});
};
There are three types of dependencies that are supported:
Each of these dependencies is described in the next few sections. However, it is recommended to also check out the source code of available plugins listed above (e.g. lasso-less).
If you would like to introduce your own custom dependency types then you will need to have your plugin register a dependency handler. This is illustrated in the following sample code:
const fs = require('fs');
module.exports = function myPlugin(lasso, config) {
lasso.dependencies.registerJavaScriptType(
'my-custom-type',
{
// Declare which properties can be passed to the dependency type
properties: {
'path': 'string'
},
// Validation checks and initialization based on properties:
async init (context) {
if (!this.path) {
throw new Error('"path" is required');
}
// NOTE: resolvePath can be used to resolve a provided relative path to a full path
this.path = this.resolvePath(this.path);
},
// Read the resource:
async read (context) {
const src = await fs.promises.readFile(this.path, {encoding: 'utf8'});
return myCompiler.compile(src);
// NOTE: A stream can also be returned
},
// getSourceFile is optional and is only used to determine the last modified time
// stamp and to give the output file a reasonable name when bundling is disabled
getSourceFile: function() {
return this.path;
}
});
};
Once registered, the above dependency can then be referenced from an browser.json
as shown in the following code:
{
"dependencies": [
"my-custom-type: hello.file"
]
}
If a custom dependency supports more than just a path
property, additional properties could be provided as shown in the following sample code:
{
"dependencies": [
{
"type": "my-custom-type",
"path": "hello.file",
"foo": "bar",
"hello": true
}
]
}
If you would like to introduce your own custom dependency types then you will need to have your plugin register a dependency handler as shown in the following sample code:
module.exports = function myPlugin(lasso, config) {
lasso.dependencies.registerStyleSheetType(
'my-custom-type',
handler);
};
The handler
argument for a CSS dependency has the exact same interface as a handler for a JavaScript dependency (described earlier).
A custom package dependency can be used to dynamically resolve additional dependencies at optimization time. The sample package dependency handler below illustrates how a package dependency can be used to automatically include every file in a directory as a dependency:
const { promisify } = require('util');
const fs = promisify(require('fs'));
const path = promisify(require('path'));
lasso.dependencies.registerPackageType('dir', {
properties: {
'path': 'string'
},
async init (context) {
let path = this.path;
if (!path) {
callback(new Error('"path" is required'));
}
this.path = path = this.resolvePath(path); // Convert the relative path to an absolute path
const stat = await fs.stat(path);
if (!stat.isDirectory()) {
throw new Error('Directory expected: ' + path);
}
},
async getDependencies (context) {
const dir = this.path;
const filenames = await fs.readdir(dir);
// Convert the filenames to full paths
var dependencies = filenames.map(function(filename) {
return path.join(dir, filename);
});
return dependencies;
},
getDir: function() {
// If the dependencies are associated with a directory then return that directory.
// Otherwise, return null
return this.path;
}
});
Registered output transforms are used to process bundles as they are written to disk. As an example, an output transform can be used to minify a JavaScript or CSS bundle. Another example is that an output transform may be used to remove console.log
statements from output JavaScript code. Transforms should be registered by a plugin using the lasso.addTransform(transform)
method.
As an example, the following unhelpful transform will convert all JavaScript source code to upper case:
module.exports = function (lasso, pluginConfig) {
lasso.addTransform({
// Only apply to JavaScript code
contentType: 'js', // 'css' is the other option
// Give your module a friendly name (helpful for debugging in case something goes wrong in your code)
name: module.id,
// If stream is set to false then a String will be provided. Otherwise, a readable stream will be provided
stream: false,
// Do the magic:
transform: function(code, lassoContext) {
return code.toUpperCase();
}
});
};
Below is the streaming version of the same transform:
var through = require('through');
module.exports = function (lasso, pluginConfig) {
lasso.addTransform({
// Only apply to JavaScript code
contentType: 'js', // 'css' is the other option
// Give your module a friendly name (helpful for debugging in case something goes wrong in your code)
name: module.id,
stream: true, // We want the code to be streamed to us
// Do the magic:
transform: function(inStream, lassoContext) {
return inStream.pipe(through(
function write(data) {
this.queue(data.toUpperCase());
}));
}
});
};
See JavaScript API.
See AMD Compatibility.
Please join us in the Gitter chat room for Lasso.js or open a new Github issue.
Pull Requests welcome. Please submit Github issues for any feature enhancements, bugs or documentation problems.
Apache License v2.0
FAQs
Lasso.js is a build tool and runtime library for building and bundling all of the resources needed by a web application
The npm package lasso receives a total of 687 weekly downloads. As such, lasso popularity was classified as not popular.
We found that lasso demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 5 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
Security News
MITRE's 2024 CWE Top 25 highlights critical software vulnerabilities like XSS, SQL Injection, and CSRF, reflecting shifts due to a refined ranking methodology.
Security News
In this segment of the Risky Business podcast, Feross Aboukhadijeh and Patrick Gray discuss the challenges of tracking malware discovered in open source softare.