Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Realm is a mobile database that runs directly inside phones, tablets or wearables. This project hosts the JavaScript versions of Realm. Currently we support React Native (JSC & Hermes on iOS & Android), Node.js and Electron (on Windows, MacOS and Linux).
Please see the detailed instructions in our docs to use Realm JavaScript for Node.js and Realm JavaScript for React Native. Please notice that currently only Node.js version 13 or later is supported. For React Native users, we have a compatibility matrix showing which versions are supported.
It is exciting to have users, and we want to support you as good as possible. Our community support (Github issues in this and our related repositories) is divided into three tiers, and below you can see which packages, versions and platforms we consider for the different tiers.
If you want to contribute to any of our packages, you are welcome to do so. We will take the time to review your pull request for any package.
In tier 1 we will respond to issues in a timely manner during workdays from CET timezone, and we will work on bug fixing and adding new features.
latest
) on node.js (LTS) and Electron on Windows, MacOS, and Linuxlatest
) with latest React Native version on Android and iOSlatest
) in conjunction with latest Realm JavaScript releaseSome packages are considered to be mature and stable, and we will support them as good as we can when time permits.
latest
)The third tier covers our experimental packages. We work on them occasionally, and they are likely to change radically when we do.
The documentation for the Realm React Native SDK can be found at mongodb.com/docs/realm/sdk/react-native/. The documentation for Realm Node.js SDK can be found at mongodb.com/docs/realm/sdk/node.
The API reference is located at docs.mongodb.com/realm-sdks/js/latest/.
If you are using React Native, please also take a look the README for @realm/react, which provides React hooks to make working with Realm easier.
TypeScript is a popular alternative to pure JavaScript as it provide static typing. Our TypeScript support consists of two parts
class Task extends Realm.Object<Task, "description"> {
_id = new Realm.BSON.ObjectId();
description!: string;
@index
isComplete = false;
static primaryKey = "_id";
constructor(realm, description: string) {
super(realm, { description });
}
}
Realm is a general SDK which provide you persistence of objects and the capability of perform advanced queries on the objects. You can have a tighter integration with React Native by using @realm/react.
Moreover, we have a Flipper plugin to help you inspect, query and modify your Realm files while debugging your app on a simulator or a physical device. The plugin is still in an early stage so expect rough edges.
We have TypeScript and JavaScript templates to help you get started using Realm. Follow the links to your desired template and follow the instructions there to get up and running fast.
See CONTRIBUTING.md for more details!
Debug with Chrome
in the Debug Menu.For instructions on building Realm JS yourself from source, see the building.md file.
Some users have reported the Chrome debugging being too slow to use after integrating Realm into their react-native project. This is due to the blocking nature of the RPC calls made through the Realm library. See https://github.com/realm/realm-js/issues/491 for more information. The best workaround is to use Safari instead, as a user has described here.
Moreover, we have a switch to Flipper in the works as part of our effort to support Hermes. It implies that we envision a near future where the Chrome debugging will be removed, and we currently don't invest much in its maintenance.
Asynchronously submits install information to Realm.
Why are we doing this? In short, because it helps us build a better product
for you. None of the data personally identifies you, your employer or your
app, but it will help us understand what language you use, what Node.js
versions you target, etc. Having this info will help prioritizing our time,
adding new features and deprecating old features. Collecting an anonymized
application path & anonymized machine identifier is the only way for us to
count actual usage of the other metrics accurately. If we don’t have a way to
deduplicate the info reported, it will be useless, as a single developer
npm install
-ing the same app 10 times would report 10 times more than another
developer that only installs once, making the data all but useless.
No one likes sharing data unless it’s necessary, we get it, and we’ve
debated adding this for a long long time. If you truly, absolutely
feel compelled to not send this data back to Realm, then you can set an env
variable named REALM_DISABLE_ANALYTICS
.
Currently the following information is reported:
You can see all submitted data by setting environment variable REALM_PRINT_ANALYTICS
.
This project adheres to the MongoDB Code of Conduct. By participating, you are expected to uphold this code. Please report unacceptable behavior to community-conduct@mongodb.com.
Realm JS and Realm Core are published under the Apache License 2.0.
If you use Realm and are happy with it, all we ask is that you please consider sending out a tweet mentioning @realm to share your thoughts
And if you don't like it, please let us know what you would like improved, so we can fix it!
Made with contrib.rocks.
FAQs
Realm by MongoDB is an offline-first mobile database: an alternative to SQLite and key-value stores
The npm package realm receives a total of 27,408 weekly downloads. As such, realm popularity was classified as popular.
We found that realm demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 5 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.