Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
The lz-string npm package provides compression and decompression functionalities for strings. It is designed to be lightweight and fast, and it can compress data to a smaller size to save storage space or reduce the amount of data transmitted over the network.
Compression
This feature allows you to compress a string into a smaller one, which can be useful for saving space or reducing the size of data sent over the network.
const LZString = require('lz-string');
const compressed = LZString.compress('This is my string to compress.');
Decompression
This feature allows you to decompress a string that was previously compressed with lz-string, restoring it to its original form.
const LZString = require('lz-string');
const compressed = LZString.compress('This is my string to compress.');
const decompressed = LZString.decompress(compressed);
Compression to UTF-16
This feature compresses a string and encodes it in UTF-16 format, which can be useful for environments that do not support UTF-8.
const LZString = require('lz-string');
const compressed = LZString.compressToUTF16('This is my string to compress.');
Decompression from UTF-16
This feature decompresses a string that was compressed to UTF-16 format back to its original string.
const LZString = require('lz-string');
const compressed = LZString.compressToUTF16('This is my string to compress.');
const decompressed = LZString.decompressFromUTF16(compressed);
Compression to Base64
This feature compresses a string and encodes it in Base64, which is useful for safe transport over protocols that might not handle binary data well.
const LZString = require('lz-string');
const compressed = LZString.compressToBase64('This is my string to compress.');
Decompression from Base64
This feature decompresses a string that was compressed and encoded in Base64 back to its original string.
const LZString = require('lz-string');
const compressed = LZString.compressToBase64('This is my string to compress.');
const decompressed = LZString.decompressFromBase64(compressed);
Pako is an npm package that provides high-speed zlib port to JavaScript, which works in the browser and node.js. It offers similar compression and decompression functionalities but uses the zlib library, which is a different algorithm than LZ-based compression used by lz-string.
Snappy is a fast compressor/decompressor npm package that is based on the snappy library. It is known for its high speed and reasonable compression ratio, and it is used by systems like Cassandra and Hadoop. Unlike lz-string, snappy focuses on speed rather than achieving the highest compression ratio.
Brotli is a compression algorithm developed by Google, and the npm package provides Node.js bindings for the Brotli library. It offers higher compression ratios than lz-string, especially for text data, and is supported natively by many modern browsers for HTTP compression.
LZ-based compression algorithm for JavaScript
Files have changed locations and name since a recent release. The new release file is in libs/lz-string.min.js
(or in libs/lz-string.js
if you don't care for the minified version)
Sorry about the mess in other repos. This will not happen again.
If you are using one of the ports of lz-string to decode on the server what was encoded in the browser, you might want to use version 1.3.7 as the version 1.3.8 introduced a slight change in the encoding. While the JS versions are completely cross-compatible, the PHP, Go, ... versions might not be as forgiving.
$ npm install -g lz-string
$ lz-string input.js > output.txt
Home page for this program with examples, documentation and a live demo: http://pieroxy.net/blog/pages/lz-string/index.html
This lib has numerous ports to other languages, for server side processing, mostly. Here they are:
[1.5.0] - 2023-06-20
FAQs
LZ-based compression algorithm
The npm package lz-string receives a total of 10,213,036 weekly downloads. As such, lz-string popularity was classified as popular.
We found that lz-string demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.