Research
Security News
Malicious npm Packages Inject SSH Backdoors via Typosquatted Libraries
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
main-thread-scheduling
Advanced tools
Consistently responsive apps while staying on the main thread
Consistently responsive apps while staying on the main thread
npm install main-thread-scheduling
The library lets you run computationally heavy tasks on the main thread while ensuring:
MessageChannel.postMessage()
and requestIdleCallback()
for scheduling.navigator.scheduling.isInputPending()
API is available).background
priority are executed last so there isn't some unexpected work that slows down the main thread after the background task is finished.Why rely on some open-source library to ensure a good performance for my app?
yieldOrContinue(priority)
function. The API has two more functions for more advanced cases.You can see the library in action in this CodeSandbox. Try removing the call to yieldToContinue()
and then type in the input to see the difference.
yieldOrContinue(priority: 'background' | 'user-visible')
The complexity of the entire library is hidden behind this method. You can have great app performance by calling a single method.
async function findInFiles(query: string) {
for (const file of files) {
await yieldOrContinue('user-visible')
for (const line of file.lines) {
fuzzySearchLine(line, query)
}
}
}
The library has two more functions available:
yieldControl(priority: 'background' | 'user-visible')
isTimeToYield(priority: 'background' | 'user-visible')
These two functions are used together to handle more advanced use cases.
A simple use case where you will need those two functions is when you want to render your view before yielding back control to the browser to continue its work:
async function doHeavyWork() {
for (const value of values) {
if (isTimeToYield('user-visible')) {
render()
await yieldControl('user-visible')
}
computeHeavyWorkOnValue(value)
}
}
There are two priorities available: user-visible
and background
:
user-visible
– use this for things that need to display to the user as fast as possible. Every user-visible
task is run for 83ms – this gives you a nice cycle of doing heavy work and letting the browser render pending changes.background
– use this for background tasks. Every background task is run for 5ms.If you have a use case for a third priority, you can write in this issue.
Web Workers are a great alternative if you have: 1) heavy code (e.g. image processing), 2) something that isn't a task but a process (runs through a big time of the app lifecycle). However, in reality, it's rare to see people using them. That's because they require significant investment of time due to the complexity that can't be avoided when working with CPU threads regardless of the programming language. This library can be used as a gateway before transitioning to Web Workers. In reality, a lot of the times, you would discover the doing it on the main thread is good enough.
scheduler.yield()
will probably land in browsers at some point. However, is scheduler.yield()
enough? The spec isn't very clear on how it will work exactly so I'm not sure. My guess is that it would be possible go without this library but you will need extra code to do so. That's because you will need to reimplement the isTimeToYield()
method for which I don't see an alternative in the spec.
React scheduler is a similar implementation. They plan to make it more generic (for use outside of React) but there doesn't seem to be a public roadmap for that.
FAQs
Fast and consistently responsive apps using a single function call
The npm package main-thread-scheduling receives a total of 3,867 weekly downloads. As such, main-thread-scheduling popularity was classified as popular.
We found that main-thread-scheduling demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
Security News
MITRE's 2024 CWE Top 25 highlights critical software vulnerabilities like XSS, SQL Injection, and CSRF, reflecting shifts due to a refined ranking methodology.
Security News
In this segment of the Risky Business podcast, Feross Aboukhadijeh and Patrick Gray discuss the challenges of tracking malware discovered in open source softare.