
Security News
/Research
Coordinated npm and PyPI Campaign Typosquats Popular Secure Payment Apps
Socket uncovered 17 malicious npm and PyPI packages typosquatting Paysafe, Skrill, and Neteller SDKs to steal developer secrets.
High-performance streaming multipart/mixed parser for Node.js applications.
This is a private workspace package used internally by other packages in this monorepo.
import { parseMultipartStream, MultipartMessage } from "mixpart";
// Parse a multipart/mixed response
const response = await fetch("https://api.example.com/multipart-endpoint");
for await (const message of parseMultipartStream(response)) {
console.log("Headers:", message.headers);
// Access specific headers
const contentType = message.headers["content-type"];
const customHeader = message.headers["x-custom-header"];
// Stream the payload - no buffering in memory
const reader = message.payload.getReader();
while (true) {
const { done, value } = await reader.read();
if (done) break;
console.log("Received chunk:", value.length, "bytes");
// Process each chunk immediately without buffering
}
}
The parser includes configurable safety limits to prevent unbounded memory growth:
import { parseMultipartStream, ParserOptions } from "mixpart";
const options: ParserOptions = {
maxHeaderSize: 128000, // 128KB header limit (default: 64KB)
maxBoundaryBuffer: 16384, // 16KB boundary buffer (default: 8KB)
};
for await (const message of parseMultipartStream(response, options)) {
// Process messages safely
}
Safety Limits:
For convenience when you need the complete payload:
import { parseMultipartStream } from "mixpart";
async function readStreamToText(
stream: ReadableStream<Uint8Array>,
): Promise<string> {
const reader = stream.getReader();
const chunks: Uint8Array[] = [];
while (true) {
const { done, value } = await reader.read();
if (done) break;
chunks.push(value);
}
const totalLength = chunks.reduce((sum, chunk) => sum + chunk.length, 0);
const result = new Uint8Array(totalLength);
let offset = 0;
for (const chunk of chunks) {
result.set(chunk, offset);
offset += chunk.length;
}
return new TextDecoder().decode(result);
}
for await (const message of parseMultipartStream(response)) {
if (message.headers["content-type"] === "application/json") {
const jsonText = await readStreamToText(message.payload);
const data = JSON.parse(jsonText);
console.log("JSON data:", data);
}
}
Since this is a generic parser, applications can extract their own specific headers:
import { parseMultipartStream } from "mixpart";
const response = await fetch("https://api.example.com/messages", {
headers: {
Accept: "multipart/mixed",
Authorization: "Bearer TOKEN",
},
});
for await (const part of parseMultipartStream(response)) {
// Extract application-specific headers
const messageId = part.headers["x-message-id"];
const timestamp = part.headers["x-timestamp"];
const contentType = part.headers["content-type"];
if (messageId && timestamp) {
console.log("Message:", {
id: messageId,
timestamp: timestamp,
contentType: contentType,
});
// Stream process the payload without loading it all into memory
const reader = part.payload.getReader();
const chunks: Uint8Array[] = [];
while (true) {
const { done, value } = await reader.read();
if (done) break;
chunks.push(value);
}
// Only combine chunks when ready to process
const totalLength = chunks.reduce((sum, chunk) => sum + chunk.length, 0);
const fullPayload = new Uint8Array(totalLength);
let offset = 0;
for (const chunk of chunks) {
fullPayload.set(chunk, offset);
offset += chunk.length;
}
if (contentType === "application/json") {
const messageData = JSON.parse(new TextDecoder().decode(fullPayload));
console.log("JSON data:", messageData);
}
}
}
parseMultipartStream(response: Response, options?: ParserOptions)Returns an async generator that yields MultipartMessage objects as they are parsed from the stream.
Parameters:
response: A Response object with a multipart/mixed bodyoptions: Optional configuration for memory safety limitsReturns:
AsyncGenerator<MultipartMessage, void, unknown>ParserOptionsConfiguration interface for memory safety:
interface ParserOptions {
maxHeaderSize?: number; // Maximum header buffer size (default: 64KB)
maxBoundaryBuffer?: number; // Maximum boundary buffer size (default: 8KB)
}
MultipartMessageInterface representing a parsed multipart message:
interface MultipartMessage {
headers: Record<string, string>; // All headers from the multipart part
payload: ReadableStream<Uint8Array>; // Streaming payload - no buffering
}
Key Benefits:
extractBoundary(contentType: string)Utility function to extract the boundary parameter from a Content-Type header.
Parameters:
contentType: Content-Type header valueReturns:
string: The boundary stringMultipartParseErrorError class thrown when multipart parsing fails:
class MultipartParseError extends Error {
name: "MultipartParseError";
}
The parser uses a sophisticated streaming architecture with memory safety:
ReadableStream<Uint8Array>Memory Safety Features:
This design allows processing of arbitrarily large multipart responses without memory constraints while protecting against malformed data.
MIT
FAQs
High-performance streaming multipart/mixed parser for Node.js
The npm package mixpart receives a total of 809,152 weekly downloads. As such, mixpart popularity was classified as popular.
We found that mixpart demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 4 open source maintainers collaborating on the project.
Did you know?

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Security News
/Research
Socket uncovered 17 malicious npm and PyPI packages typosquatting Paysafe, Skrill, and Neteller SDKs to steal developer secrets.

Security News
Node.js is debating whether AI-driven security report volume warrants moving more vulnerability reports into public workflows.

Security News
PolinRider expands across npm, Packagist, Go modules, and Chrome extensions, using hidden loaders to target developer environments.