Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
react-ssr-prepass
Advanced tools
A custom partial React SSR renderer for prefetching and suspense
react-dom/server
does not have support for suspense yet.
react-ssr-prepass
offers suspense on the server-side today, until it does. ✨
react-ssr-prepass
is a partial server-side React renderer that does a prepass
on a React element tree and suspends when it finds thrown promises. It also
accepts a visitor function that can be used to suspend on anything.
You can use it to fetch data before your SSR code calls renderToString
or
renderToNodeStream
.
⚠️ Note: Suspense is unstable and experimental. This library purely exists since
react-dom/server
does not support data fetching or suspense yet. This two-pass approach should just be used until server-side suspense support lands in React.
It's quite common to have some data that needs to be fetched before server-side rendering and often it's inconvenient to specifically call out to random fetch calls to get some data. Instead Suspense offers a practical way to automatically fetch some required data, but is currently only supported in client-side React.
react-ssr-prepass
offers a solution by being a "prepass" function
that walks a React element tree and executing suspense. It finds all
thrown promises (a custom visitor can also be provided) and waits for
those promises to resolve before continuing to walk that particular
suspended subtree. Hence, it attempts to offer a practical way to
use suspense and complex data fetching logic today.
A two-pass React render is already quite common for in other libraries
that do implement data fetching. This has however become quite impractical.
While it was trivial to previously implement a primitive React renderer,
these days a lot more moving parts are involved to make such a renderer
correct and stable. This is why some implementations now simply rely
on calling renderToStaticMarkup
repeatedly.
react-ssr-prepass
on the other hand is a custom implementation
of a React renderer. It attempts to stay true and correct to the
React implementation by:
ReactPartialRenderer
react-is
First install react-ssr-prepass
alongside react
and react-dom
:
yarn add react-ssr-prepass
# or
npm install --save react-ssr-prepass
In your SSR code you may now add it in front of your usual renderToString
or renderToNodeStream
code:
import { createElement } from 'react'
import { renderToString } from 'react-dom/server'
import ssrPrepass from 'react-ssr-prepass'
const renderApp = async (App) => {
const element = createElement(App)
await ssrPrepass(element)
return renderToString(element)
}
Additionally you can also pass a "visitor function" as your second argument. This function is called for every React class or function element that is encountered.
ssrPrepass(<App />, (element, instance) => {
if (element.type === SomeData) {
return fetchData()
} else if (instance && instance.fetchData) {
return instance.fetchData()
}
})
The first argument of the visitor is the React element. The second is
the instance of a class component or undefined. When you return
a promise from this function react-ssr-prepass
will suspend before
rendering this element.
You should be aware that react-ssr-prepass
does not handle any
data rehydration. In most cases it's fine to collect data from your cache
or store after running ssrPrepass
, turn it into JSON, and send it
down in your HTML result.
This library is (luckily) not a reimplementation from scratch of
React's server-side rendering. Instead it's mostly based on
React's own server-side rendering logic that resides in its
ReactPartialRenderer
.
The approach of doing an initial "data fetching pass" is inspired by:
Experimental: This project is quite new. We're not sure what our ongoing maintenance plan for this project will be. Bug reports, feature requests and pull requests are welcome. If you like this project, let us know!
FAQs
A custom partial React SSR renderer for prefetching and suspense
We found that react-ssr-prepass demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 3 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.