Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
phantomjs-prebuilt
Advanced tools
The phantomjs-prebuilt npm package provides a precompiled version of PhantomJS, a headless web browser scriptable with JavaScript. It is used for automating web page interaction, capturing screenshots, and running tests without a graphical user interface.
Web Page Automation
This feature allows you to automate interactions with web pages, such as opening a URL and performing actions on the page.
const phantom = require('phantom');
(async function() {
const instance = await phantom.create();
const page = await instance.createPage();
const status = await page.open('https://example.com');
console.log(status);
await instance.exit();
})();
Screenshot Capture
This feature enables you to capture screenshots of web pages, which can be useful for visual testing or archiving.
const phantom = require('phantom');
(async function() {
const instance = await phantom.create();
const page = await instance.createPage();
await page.open('https://example.com');
await page.render('screenshot.png');
await instance.exit();
})();
PDF Generation
This feature allows you to generate PDF files from web pages, which can be useful for creating printable versions of web content.
const phantom = require('phantom');
(async function() {
const instance = await phantom.create();
const page = await instance.createPage();
await page.open('https://example.com');
await page.render('page.pdf');
await instance.exit();
})();
Web Scraping
This feature allows you to scrape content from web pages, which can be useful for data extraction and analysis.
const phantom = require('phantom');
(async function() {
const instance = await phantom.create();
const page = await instance.createPage();
await page.open('https://example.com');
const content = await page.property('content');
console.log(content);
await instance.exit();
})();
Puppeteer is a Node library which provides a high-level API to control Chrome or Chromium over the DevTools Protocol. It is more modern and actively maintained compared to PhantomJS, offering better support for modern web standards and features.
Selenium WebDriver is a popular tool for automating web applications for testing purposes. It supports multiple browsers and is widely used in the industry. Unlike PhantomJS, Selenium WebDriver can control real browsers, providing more accurate test results.
Nightmare is a high-level browser automation library built on Electron. It is designed for ease of use and is suitable for tasks like web scraping and UI testing. It offers a simpler API compared to PhantomJS and is more suitable for modern web applications.
An NPM installer for PhantomJS, headless webkit with JS API.
npm install phantomjs-prebuilt
Or grab the source and
node ./install.js
What this installer is really doing is just grabbing a particular "blessed" (by this module) version of Phantom. As new versions of Phantom are released and vetted, this module will be updated accordingly.
bin/phantomjs [phantom arguments]
And npm will install a link to the binary in node_modules/.bin
as
it is wont to do.
The package exports a path
string that contains the path to the
phantomjs binary/executable.
Below is an example of using this package via node.
var path = require('path')
var childProcess = require('child_process')
var phantomjs = require('phantomjs-prebuilt')
var binPath = phantomjs.path
var childArgs = [
path.join(__dirname, 'phantomjs-script.js'),
'some other argument (passed to phantomjs script)'
]
childProcess.execFile(binPath, childArgs, function(err, stdout, stderr) {
// handle results
})
Or exec()
method is also provided for convenience:
var phantomjs = require('phantomjs-prebuilt')
var program = phantomjs.exec('phantomjs-script.js', 'arg1', 'arg2')
program.stdout.pipe(process.stdout)
program.stderr.pipe(process.stderr)
program.on('exit', code => {
// do something on end
})
Note: childProcess.spawn() is called inside exec()
.
run()
method detects when PhantomJS gets ready. It's handy to use with WebDriver (Selenium).
var phantomjs = require('phantomjs-prebuilt')
var webdriverio = require('webdriverio')
var wdOpts = { desiredCapabilities: { browserName: 'phantomjs' } }
phantomjs.run('--webdriver=4444').then(program => {
webdriverio.remote(wdOpts).init()
.url('https://developer.mozilla.org/en-US/')
.getTitle().then(title => {
console.log(title) // 'Mozilla Developer Network'
program.kill() // quits PhantomJS
})
})
The major and minor number tracks the version of PhantomJS that will be installed. The patch number is incremented when there is either an installer update or a patch build of the phantom binary.
Pre-2.0, this package was published to NPM as phantomjs. We changed the name to phantomjs-prebuilt at the request of PhantomJS team.
Please do not download PhantomJS for every CI job because it can quickly overload our CDNs. Instead take advantage of CI caching.
In Travis-CI add the following to your .travis.yml
to enable caching & avoid repeated
downloads of PhantomJS.
cache:
directories:
- travis_phantomjs
before_install:
# Upgrade PhantomJS to v2.1.1.
- "export PHANTOMJS_VERSION=2.1.1"
- "export PATH=$PWD/travis_phantomjs/phantomjs-$PHANTOMJS_VERSION-linux-x86_64/bin:$PATH"
- "if [ $(phantomjs --version) != $PHANTOMJS_VERSION ]; then rm -rf $PWD/travis_phantomjs; mkdir -p $PWD/travis_phantomjs; fi"
- "if [ $(phantomjs --version) != $PHANTOMJS_VERSION ]; then wget https://github.com/Medium/phantomjs/releases/download/v$PHANTOMJS_VERSION/phantomjs-$PHANTOMJS_VERSION-linux-x86_64.tar.bz2 -O $PWD/travis_phantomjs/phantomjs-$PHANTOMJS_VERSION-linux-x86_64.tar.bz2; fi"
- "if [ $(phantomjs --version) != $PHANTOMJS_VERSION ]; then tar -xvf $PWD/travis_phantomjs/phantomjs-$PHANTOMJS_VERSION-linux-x86_64.tar.bz2 -C $PWD/travis_phantomjs; fi"
- "phantomjs --version"
By default, this package will download phantomjs from our releases. This should work fine for most people.
If github is down, or the Great Firewall is blocking github, you may need to use
a different download mirror. To set a mirror, set npm config property phantomjs_cdnurl
.
Alternatives include https://bitbucket.org/ariya/phantomjs/downloads
(the official download site)
and http://cnpmjs.org/downloads
.
npm install phantomjs-prebuilt --phantomjs_cdnurl=https://bitbucket.org/ariya/phantomjs/downloads
Or add property into your .npmrc
file (https://www.npmjs.org/doc/files/npmrc.html)
phantomjs_cdnurl=https://bitbucket.org/ariya/phantomjs/downloads
Another option is to use PATH variable PHANTOMJS_CDNURL
.
PHANTOMJS_CDNURL=https://bitbucket.org/ariya/phantomjs/downloads npm install phantomjs
If you plan to install phantomjs many times on a single machine, you can
install the phantomjs
binary on PATH. The installer will automatically detect
and use that for non-global installs.
PhantomJS needs to be compiled separately for each platform. This installer finds a prebuilt binary for your operating system, and downloads it.
If you check your dependencies into git, and work on a cross-platform team, then you need to tell NPM to rebuild any platform-specific dependencies. Run
npm rebuild
as part of your build process. This problem is not specific to PhantomJS, and this solution will work for any NodeJS package with native or platform-specific code.
If you know in advance that you want to install PhantomJS for a specific architecture,
you can set the environment variables: PHANTOMJS_PLATFORM
(to set target platform) and PHANTOMJS_ARCH
(to set target
arch), where platform
and arch
are valid values for
process.platform and process.arch.
PhantomJS is not a library for NodeJS. It's a separate environment and code written for node is unlikely to be compatible. In particular PhantomJS does not expose a Common JS package loader.
This is an NPM wrapper and can be used to conveniently make Phantom available. It is not a Node JS wrapper.
I have had reasonable experiences writing standalone Phantom scripts which I then drive from within a node program by spawning phantom in a child process.
Read the PhantomJS FAQ for more details: http://phantomjs.org/faq.html
An extra note on Linux usage, from the PhantomJS download page:
There is no requirement to install Qt, WebKit, or any other libraries. It however still relies on Fontconfig (the package fontconfig or libfontconfig, depending on the distribution).
spawn ENOENT
This is NPM's way of telling you that it was not able to start a process. It usually means:
node
is not on your PATH, or otherwise not correctly installed.tar
is not on your PATH. This package expects tar
on your PATH on Linux-based platforms.bzip2
is not on your PATH.Check your specific error message for more information.
Error: EPERM
or operation not permitted
or permission denied
This error means that NPM was not able to install phantomjs to the file system. There are three major reasons why this could happen:
npm cache clean
to fix them.Error: read ECONNRESET
or Error: connect ETIMEDOUT
This error means that something went wrong with your internet connection, and the installer was not able to download the PhantomJS binary for your platform. Please try again.
ECONNRESET
or ETIMEDOUT
consistently.Do you live in China, or a country with an authoritarian government? We've seen problems where the GFW or local ISP blocks github, preventing the installer from downloading the binary.
Try visiting the download page manually.
If that page is blocked, you can try using a different CDN with the PHANTOMJS_CDNURL
env variable described above.
You can tell NPM and the PhantomJS installer to skip validation of ssl keys with NPM's strict-ssl setting:
npm set strict-ssl false
WARNING: Turning off strict-ssl
leaves you vulnerable to attackers reading
your encrypted traffic, so run this at your own risk!
If you install PhantomJS manually, and put it on PATH, the installer will try to use the manually-installed binaries.
node
Some Linux distros tried to rename node
to nodejs
due to a package
conflict. This is a non-portable change, and we do not try to support this. The
official documentation
recommends that you run apt-get install nodejs-legacy
to symlink node
to nodejs
on those platforms, or many NodeJS programs won't work properly.
We only have binaries available for common OS / processor configurations. Sorry.
You may be able to get a PhantomJS binary from your operating system's package manager. Or you can build your own from source. If you put that binary on PATH, this installer will use it (see "Deciding Where to Get PhantomJS" above).
Questions, comments, bug reports, and pull requests are all welcome. Submit them at the project on GitHub. If you haven't contributed to an Medium project before please head over to the Open Source Project and fill out an OCLA (it should be pretty painless).
Bug reports that include steps-to-reproduce (including code) are the best. Even better, make them in the form of pull requests.
Dan Pupius (personal website) and Nick Santos, supported by A Medium Corporation.
Copyright 2012 A Medium Corporation.
Licensed under the Apache License, Version 2.0.
See the top-level file LICENSE.txt
and
(http://www.apache.org/licenses/LICENSE-2.0).
FAQs
Headless WebKit with JS API
The npm package phantomjs-prebuilt receives a total of 213,542 weekly downloads. As such, phantomjs-prebuilt popularity was classified as popular.
We found that phantomjs-prebuilt demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.