![Malicious npm Package Typosquats react-login-page to Deploy Keylogger](https://cdn.sanity.io/images/cgdhsj6q/production/007b21d9cf9e03ae0bb3f577d1bd59b9d715645a-1024x1024.webp?w=400&fit=max&auto=format)
Research
Security News
Malicious npm Package Typosquats react-login-page to Deploy Keylogger
Socket researchers unpack a typosquatting package with malicious code that logs keystrokes and exfiltrates sensitive data to a remote server.
node-sass
Advanced tools
Package description
The node-sass npm package is a library that allows you to natively compile .scss files to CSS at incredible speed and automatically via a connect middleware. It provides a binding for Node.js to the Sass engine, which is written in C++ and allows for the translation of SCSS or SASS syntax into standard CSS that browsers can understand.
Compiling SCSS to CSS
This feature allows you to compile .scss files into .css files. The 'render' method takes an options object and a callback function. The options object specifies the input and output paths for the SCSS and CSS files, respectively. The callback is invoked after the compilation process, and you can handle the result or error accordingly.
const sass = require('node-sass');
sass.render({
file: 'path/to/input.scss',
outFile: 'path/to/output.css'
}, function(error, result) { // Node-style callback from v3.0.0 onwards
if(!error){
// No errors during the compilation, write this result on the disk
fs.writeFile('path/to/output.css', result.css, function(err){
if(!err){
//file written on disk
}
});
}
});
Watching files or directories
This feature allows you to watch .scss files or directories for changes and automatically recompile them to CSS when a change is detected. The example uses 'chokidar', an external library for watching files, to listen for changes on the specified SCSS file and then uses node-sass to compile the file to CSS.
const sass = require('node-sass');
const chokidar = require('chokidar');
chokidar.watch('path/to/input.scss').on('change', () => {
sass.render({
file: 'path/to/input.scss',
outFile: 'path/to/output.css'
}, function(error, result) {
if (!error) {
fs.writeFile('path/to/output.css', result.css, function(err){
if(!err){
console.log('SCSS file updated.');
}
});
}
});
});
Command Line Interface (CLI) usage
node-sass provides a CLI for compiling SCSS files to CSS directly from the command line. In this example, the '--output-style' option is used to specify the CSS output format (compressed in this case), '-o' is used to define the output directory for the compiled CSS, and the last argument is the input directory containing the SCSS files.
node-sass --output-style compressed -o dist/css src/scss
The 'sass' package is the primary implementation of Sass, which is written in Dart. It provides the same core functionality as node-sass but does not rely on a native C++ binding, making it more portable and easier to install across different environments. It is also the package recommended by the Sass team as node-sass has been deprecated.
PostCSS is a tool for transforming CSS with JavaScript plugins. While it is not a direct replacement for node-sass, it can be used with plugins like 'precss' to provide similar SCSS-like syntax and features. PostCSS is highly extensible and can be integrated with a large number of plugins to extend its capabilities beyond what node-sass offers.
Less is a backward-compatible language extension for CSS. It is similar to SCSS in terms of features like variables, mixins, and nesting, but it has its own syntax and compiles to CSS using the Less compiler. While it serves a similar purpose to node-sass, it is a different preprocessor language with its own community and ecosystem.
Stylus is a preprocessor that serves as an alternative to SCSS. It offers a flexible syntax with optional colons, semicolons, and braces, and provides powerful features like variable interpolation and functions. Stylus can be seen as a more expressive, but less widely adopted, alternative to node-sass.
Readme
##node-sass
Node-sass is a library that provides binding for Node.js to libsass, the C version of the popular stylesheet preprocessor, Sass.
It allows you to natively compile .scss files to css at incredible speed and automatically via a connect middleware.
Find it on npm: http://search.npmjs.org/#/node-sass
npm install
var sass = require('node-sass');
sass.render(scss_content, callback [, options]);
Especially, the options argument is optional. It support two attribute: include_paths
and output_style
, both of them are optional.
include_paths
is an Array
, you can add a sass import path.
output_style
is a String
, its value should be one of 'nested', 'expanded', 'compact', 'compressed'
.
[Important: currently the argument output_style
has some problem which may cause the output css becomes nothing because of the libsass, so you should not use it now!]
Here is an example:
var sass = require('node-sass');
sass.render('body{background:blue; a{color:black;}}', function(err, css){
console.log(css)
}/*, { include_paths: [ 'lib/', 'mod/' ], output_style: 'compressed' }*/);
Recompile .scss
files automatically for connect and express based http servers
var server = connect.createServer(
sass.middleware({
src: __dirname
, dest: __dirname + '/public'
, debug: true
}),
connect.static(__dirname + '/public')
);
Heavily inspired by https://github.com/LearnBoost/stylus
Copyright (c) 2013 Andrew Nesbitt. See LICENSE for details.
FAQs
Unknown package
The npm package node-sass receives a total of 1,278,169 weekly downloads. As such, node-sass popularity was classified as popular.
We found that node-sass demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 3 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket researchers unpack a typosquatting package with malicious code that logs keystrokes and exfiltrates sensitive data to a remote server.
Security News
The JavaScript community has launched the e18e initiative to improve ecosystem performance by cleaning up dependency trees, speeding up critical parts of the ecosystem, and documenting lighter alternatives to established tools.
Product
Socket now supports four distinct alert actions instead of the previous two, and alert triaging allows users to override the actions taken for all individual alerts.