Security News
MCP Community Begins Work on Official MCP Metaregistry
The MCP community is launching an official registry to standardize AI tool discovery and let agents dynamically find and install MCP servers.
By Sarah Gooding - May 09, 2025
🚀 Big News: Socket Acquires Coana to Bring Reachability Analysis to Every Appsec Team.Learn more →
What is meros?
The meros npm package is designed to handle multipart responses in a more convenient and efficient way. It is particularly useful for dealing with GraphQL multipart responses, allowing clients to process parts of the response as they arrive, rather than waiting for the entire response. This can improve performance and user experience in applications that consume streaming APIs or need to handle large, multipart responses.
What are meros's main functionalities?
Parsing GraphQL multipart responses
This code sample demonstrates how to use meros to parse a GraphQL multipart response from a fetch request. It checks if the response is of type 'multipart/mixed' and then uses meros to asynchronously iterate over each part of the response, logging the body of each part if it is JSON.
import { meros } from 'meros';
const response = await fetch('/graphql', {
body: JSON.stringify({ query }),
method: 'POST',
});
if (response.headers.get('content-type').includes('multipart/mixed')) {
const parts = await meros(response);
for await (const part of parts) {
if (part.json) {
console.log(part.body);
}
}
}Other packages similar to meros
graphql-helix
GraphQL Helix is a collection of utility functions for building your own GraphQL HTTP server. It supports multipart responses similar to meros but is more focused on the server-side handling of GraphQL requests, including features for query execution and subscription support.
subscriptions-transport-ws
This package is a transport layer for handling GraphQL subscriptions over WebSocket. While it doesn't directly deal with multipart responses, it offers a real-time data fetching capability that can be seen as an alternative approach to handling streaming data, compared to the multipart response handling in meros.
npm add meros makes reading multipart responses simple
⚡ Features
- No dependencies
- Seemless api
- Super performant
- Supports any1
content-type - preamble and epilogue don't yield
- Browser/Node Compatible
- Plugs into existing libraries like Relay and rxjs
🚀 Usage
Visit /examples for more info!
// Relies on bundler/environment detection
import { meros } from 'meros';
const parts = await fetch('/api').then(meros);
// As a simple Async Generator
for await (const part of parts) {
// Do something with this part
}
// Used with rxjs streams
from(parts).subscribe((part) => {
// Do something with it
});
Specific Environment
Browser
import { meros } from 'meros/browser';
// import { meros } from 'https://cdn.skypack.dev/meros';
const parts = await fetch('/api').then(meros);
Node
import http from 'http';
import { meros } from 'meros/node';
const response = await new Promise((resolve) => {
const request = http.get(`http://example.com/api`, (response) => {
resolve(response);
});
request.end();
});
const parts = await meros(response);
🔎 API
Meros offers two flavours, both for the browser and for node; but their api's are fundamentally the same.
Note: The type
Responseis used loosely here and simply alludes to Node'sIncomingMessageor the browser'sResponsetype.
meros(response: Response, options?: Options)
Returns: Promise<Response | AsyncGenerator<Part | Part[]>
Meros returns a promise that will resolve to an AsyncGenerator if the response is of multipart/mixed mime, or simply
returns the Response if something else; helpful for middlewares. The idea here being that you run meros as a chain off
fetch.
fetch('/api').then(meros);
If the
content-typeis NOT a multipart, then meros will resolve with the response argument.Example on how to handle this case
import { meros } from 'meros'; const response = await fetch('/api'); // Assume this isnt multipart const parts = await meros(response); if (parts[Symbol.asyncIterator] < 'u') { for await (const part of parts) { // Do something with this part } } else { const data = await parts.json(); }
each Part gives you access to:
json: boolean~ Tells you thebodywould be a JavaScript object of your defined genericT.headers: object~ A key-value pair of all headers discovered from this part.body: T | Fallback~ Is the body of the part, either as a JavaScript object (noted byjson) or the base type of the environment (Buffer | string, for Node and Browser respectively).
options.multiple: boolean
Default: false
Setting this to true will yield once for all available parts of a chunk, rather than yielding once per part. This is
an optimization technique for technologies like GraphQL where rather than commit the payload to the store, to be
added-to in the next process-tick we can simply do that synchronously.
Warning: This will alter the behaviour and yield arrays—than yield payloads.
const chunks = await fetch('/api').then((response) => meros(response, { multiple: true }));
// As a simple Async Generator
for await (const parts of chunks) {
for (const part of parts) {
// Do something with this part, maybe aggregate?
}
}
💨 Benchmark
via the
/benchdirectory with Node v18.0.0
Node
✔ meros ~ 1,271,218 ops/sec ± 0.84%
✘ it-multipart ~ 700,039 ops/sec ± 0.72%
--
it-multipart (FAILED @ "should match reference patch set")
Browser
✔ meros ~ 800,941 ops/sec ± 1.06%
✘ fetch-multipart-graphql ~ 502,175 ops/sec ± 0.75%
--
fetch-multipart-graphql (FAILED @ "should match reference patch set")
🎒 Notes
Why the name? meros comes from Ancient Greek μέρος méros, meaning "part".
This library aims to implement RFC1341 in its entirety, however we aren't there yet. That being said, you may very well use this library in other scenarios like streaming in file form uploads.
Another goal here is to aide in being the defacto standard transport library to support
@defer and @stream GraphQL directives
Caveats
- No support the
/alternative,/digestor/parallelsubtype at this time. - No support for nested multiparts
❤ Thanks
Special thanks to Luke Edwards for performance guidance and high level api design.
😇 Compassion
This library is simple, a meer few hundred bytes. It's easy to copy, and easy to alter. If you do, that is fine ❤️ im all for the freedom of software. But please give credit where credit is due.
License
MIT © Marais Rossouw
Footnotes
-
By default, we'll look for JSON, and parse that for you. If not, we'll give you the body as what was streamed. ↩
FAQs
A fast 642B utility that makes reading multipart responses simple
The npm package meros receives a total of 2,880,677 weekly downloads. As such, meros popularity was classified as popular.
We found that meros demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Package last updated on 26 May 2023
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Related posts
Research
Security News
Malicious npm Packages Use Telegram to Exfiltrate BullX Credentials
Socket uncovers an npm Trojan stealing crypto wallets and BullX credentials via obfuscated code and Telegram exfiltration.
By Kush Pandya - May 08, 2025
Research
Security News
Backdooring the IDE: Malicious npm Packages Hijack Cursor Editor on macOS
Malicious npm packages posing as developer tools target macOS Cursor IDE users, stealing credentials and modifying files to gain persistent backdoor access.
By Kirill Boychenko - May 07, 2025