Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
The marky npm package is a high-resolution JavaScript stopwatch that can be used to measure the duration of operations. It provides an easy-to-use API for starting, stopping, and getting elapsed time with high precision.
Start and stop a timer
This feature allows you to start a timer with a unique name and then stop it later to get the elapsed time.
const marky = require('marky');
marky.mark('myTimer');
// ... some operation ...
const myTimerResult = marky.stop('myTimer');
console.log('Elapsed time:', myTimerResult.duration);
Get a list of all timers
This feature allows you to retrieve a list of all timers that have been created and stopped, including their names and durations.
const marky = require('marky');
marky.mark('timer1');
// ... some operation ...
marky.stop('timer1');
marky.mark('timer2');
// ... another operation ...
marky.stop('timer2');
const allTimers = marky.getEntries();
console.log(allTimers);
Clear all timers
This feature allows you to clear all recorded timers from marky's internal storage.
const marky = require('marky');
marky.mark('timer1');
// ... some operation ...
marky.stop('timer1');
marky.clear();
const allTimersAfterClear = marky.getEntries();
console.log(allTimersAfterClear); // Should be an empty array
This package provides a function to get a timestamp in milliseconds, similar to how performance.now() works in the browser. It is a simpler tool compared to marky, focusing only on getting the current timestamp without the ability to label and store multiple timers.
time-span is a high-resolution timer that can be used to measure time spans. It offers a simple API to start and end timers, but unlike marky, it does not provide the ability to label timers or retrieve a list of all timers.
JavaScript timer based on performance.mark()
and performance.measure()
, providing high-resolution
timings as well as nice Dev Tools visualizations.
For browsers that don't support performance.mark()
, it falls back to
performance.now()
or Date.now()
. In Node, it uses process.hrtime()
.
Install via npm:
npm install marky
Or as a script tag:
<script src="https://unpkg.com/marky/dist/marky.min.js"></script>
Then take some measurements:
var marky = require('marky');
marky.mark('expensive operation');
doExpensiveOperation();
marky.stop('expensive operation');
The User Timing API is more performant
than console.time()
and console.timeEnd()
,
and more accurate than Date.now()
. Also, you get nice visualizations in Chrome Dev Tools:
As well as Edge F12 Tools:
This is because marky
adds standard
PerformanceEntries to the Performance Timeline. Tools like WebPageTest and Windows Performance Analyzer also surface them, and you can even send them to your analytics provider.
marky.mark()
begins recording, and marky.stop()
finishes recording:
marky.mark('releaseTheHounds');
releaseTheHounds();
marky.stop('releaseTheHounds');
You can also do more complex scenarios:
function setSail() {
marky.mark('setSail');
marky.mark('raiseTheAnchor');
raiseTheAnchor();
marky.stop('raiseTheAnchor');
marky.mark('unfurlTheSails');
unfurlTheSails();
marky.stop('unfurlTheSails');
marky.stop('setSail');
}
marky.stop()
also returns a PerformanceEntry
:
marky.mark('manTheTorpedos');
manTheTorpedos();
var entry = marky.stop('manTheTorpedos');
The entry will look something like:
{
"entryType": "measure",
"startTime": 1974112,
"duration": 350,
"name": "manTheTorpedos"
}
You can get all entries using:
var entries = marky.getEntries();
This provides a list of all measures ordered by startTime
, e.g.:
[
{
"entryType": "measure",
"startTime": 1974112,
"duration": 350,
"name": "numberOne"
},
{
"entryType": "measure",
"startTime": 1975108,
"duration": 300,
"name": "numberTwo"
},
{
"entryType": "measure",
"startTime": 1976127,
"duration": 250,
"name": "numberThree"
}
]
You can also clear the entries using marky.clear():
marky.clear()
After this, marky.getEntries()
will return an empty list. (If the User Timing API is supported, this will delete all the mark
and measure
entries from the timeline.)
marky
has been tested in the following browsers/environments:
Per the spec, browsers only need to hold a minimum
of 150 entries in their Performance Timeline buffer. In older versions of Firefox, the buffer
is throttled to 150, which for marky
means you can get a maximum of 50 entries from marky.getEntries()
(because marky
creates two marks and a measure).
If you need to get more than 50 entries from marky.getEntries()
, you can do:
if (typeof performance !== 'undefined' && performance.setResourceTimingBufferSize) {
performance.setResourceTimingBufferSize(10000); // or however many you need
}
In Node and browsers that don't support the User Timing API,
marky
follows the behavior of Edge and Chrome, and does not limit the number of entries. marky.stop()
and
marky.getEntries()
will return pseudo-PerformanceEntry
objects.
mark()
/measure()
which reports to Google Analytics.Thanks to @toddreifsteck for feedback on this project and clarifications on the User Timing API.
FAQs
Performance timer based on performance.mark() and measure()
The npm package marky receives a total of 2,877,784 weekly downloads. As such, marky popularity was classified as popular.
We found that marky demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.