Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Most.js is a toolkit for reactive programming. It helps you compose asynchronous operations on streams of values and events, e.g. WebSocket messages, DOM events, etc, and on time-varying values, e.g. the "current value" of an <input>, without many of the hazards of side effects and mutable shared state.
It features an ultra-high performance, low overhead architecture, APIs for easily creating event streams from existing sources, like DOM events, and a small but powerful set of operations for merging, filtering, transforming, and reducing event streams and time-varying values.
Here's a simple program that displays the result of adding two inputs. The result is reactive and updates whenever either input changes.
First, the HTML fragment for the inputs and a place to display the live result:
<form>
<input class="x"> + <input class="y"> = <span class="result"></span>
</form>
Using most.js to make it reactive:
var most = require('most');
var xInput = document.querySelector('input.x');
var yInput = document.querySelector('input.y');
var resultNode = document.querySelector('.result');
exports.main = function() {
// x represents the current value of xInput
var x = most.fromEvent('input', xInput).map(toNumber);
// y represents the current value of yInput
var y = most.fromEvent('input', yInput).map(toNumber);
// result is the live current value of adding x and y
var result = most.combine(add, x, y);
// Observe the result value by rendering it to the resultNode
result.observe(renderResult);
};
function add(x, y) {
return x + y;
}
function toNumber(e) {
return Number(e.target.value);
}
function renderResult(result) {
resultNode.textContent = result;
}
To run the example above and others using RaveJS: clone the repo into a web servable dir, cd examples/<name> && bower install
, and load index.html
in your browser.
Most requires ES6 Promise
. You can use your favorite polyfill, such as creed, when, bluebird, es6-promise, etc. Using a polyfill can be especially beneficial on platforms that don't yet have good unhandled rejection reporting capabilities.
As a module:
npm install --save most
var most = require('most');
As window.most
:
bower install --save most`
<script src="most/dist/most.js"></script>
Most.js streams are compatible with Promises/A+ and ES6 Promises. They also implement Fantasy Land Monoid
, Functor
, Applicative
, and Monad
.
Reactive programming is an important concept that provides a lot of advantages: it naturally handles asynchrony and provides a model for dealing with complex data and time flow while also lessening the need to resort to shared mutable state. It has many applications: interactive UIs and animation, client-server communication, robotics, IoT, sensor networks, etc.
A primary focus of most.js is performance. The perf test results indicate that it is achieving its goals in this area. Our hope is that by publishing those numbers, and showing what is possible, other libs will improve as well.
Most.js is highly modularized. It's internal Stream/Source/Sink architecture and APIs are simple, concise, and well defined. Combinators are implemented entirely in terms of that API, and don't need to use any private details. This makes it easy to implement new combinators externally (ie in contrib repos, for example) while also guaranteeing they can still be high performance.
Aside from making combinators less "obviously correct", complexity can also lead to performace and maintainability issues. We felt a simple implementation would lead to a more stable and performant lib overall.
Most.js integrates with language features, such as promises, iterators, generators, and asynchronous generators.
Promises are a natural compliment to asynchronous reactive streams. The relationship between synchronous "sequence" and "value" is clear, and the asynchronous analogue needs to be clear, too. By taking the notion of a sequence and a value and lifting them into the asynchronous world, it seems clear that reducing an asynchronous sequence should produce a promise. Hence, most.js uses promises when a single value is the natural synchronous analogue.
Most.js interoperates seamlessly with ES6 and Promises/A+ promises. For example, reducing a stream returns a promise for the final result:
// After 4 seconds, logs 10
most.from([1, 2, 3, 4])
.delay(1000)
.reduce(function(result, y) {
return result + y;
}, 0)
.then(function(result) {
console.log(result);
});
You can also create a stream from a promise:
// Logs "hello"
most.fromPromise(Promise.resolve('hello'))
.observe(function(message) {
console.log(message);
});
Conceptually, generators allow you to write a function that acts like an iterable sequence. Generators support the standard ES6 Iterator interface, so they can be iterated over using ES6 standard for of
or the iterator's next()
API.
Most.js interoperates with ES6 generators and iterators. For example, you can create an event stream from any ES6 iterable:
function* allTheIntegers() {
let i=0;
while(true) {
yield i++;
}
}
// Log the first 100 integers
most.from(allTheIntegers())
.take(100)
.observe(x => console.log(x));
You can also create an event stream from an asynchronous generator, a generator that yields promises:
function* allTheIntegers(interval) {
let i=0;
while(true) {
yield delayPromise(interval, i++);
}
}
function delayPromise(ms, value) {
return new Promise(resolve => setTimeout(() => resolve(value), ms));
}
// Log the first 100 integers, at 1 second intervals
most.generate(allTheIntegers, 1000)
.take(100)
.observe(x => console.log(x));
FAQs
Monadic streams
The npm package most receives a total of 7,273 weekly downloads. As such, most popularity was classified as popular.
We found that most demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 5 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.