
Research
/Security News
jscrambler npm Package Compromised in Supply Chain Attack
A compromised jscrambler npm release added a malicious preinstall hook that runs hidden native binaries on Linux, macOS, and Windows.
revealer.js
Advanced tools
demonstration | GitHub | npm | donate | @craigbuckler | craigbuckler.com
revealer.js reveals an element with a CSS animation when it is scrolled into view.
Please use the code as you wish. Tweet me @craigbuckler if you find it useful and donate toward development if you use it commercially.
Include the minified CSS and JavaScript anywhere in your page. Typically, the CSS is loaded in the HTML <head> and the JS is loaded just before the closing </body> tag:
<link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/revealer.js/dist/revealer.css">
<script src="https://cdn.jsdelivr.net/npm/revealer.js/dist/revealer.js"></script>
CDN URLs are shown above but you can also npm i revealer.js to install via npm and use a bundler.
Then add a data-revealer="class" attribute to any element you wish to animate into view, e.g.
<h1 data-revealer="up">Main title</h1>
Five class animations are provided: up, down, left, right, and zoomup, but more can be added.
A CSS prefers-reduced-motion media query disables animations according to user preference.
By default, a delay of at least 300 milliseconds occurs between each element animation. So, if three elements are scrolled into view at the same time, the first animates immediately, the second after 300ms, and the third after 600ms.
An optional data-delay="M" attribute on the same element sets a custom delay to M milliseconds. For example, data-delay="0" on three elements scrolled into the viewport at the same time would animate all immediately.
An element is initially hidden by applying the .revealer class which sets opacity: 0.
When the element is scrolled into view, the class defined by the data-revealer attribute is applied, e.g. data-revealer="up" applies the up class which triggers an animation defined by the .revealer.up selector in the CSS.
Animations should generally set animation-fill-mode: forwards to ensure the animation ends at the state defined by the last (100%) keyframe. That last keyframe should also set the final opacity.
Example from revealer.css:
.revealer.up { animation: revealup 0.6s ease forwards; }
@keyframes revealup {
0% { opacity: 0.2; transform: translateY(100px); }
100% { opacity: 1; transform: translateY(0); }
}
The element is unobserved once it has been revealed so it remains in-place.
revealer.js defines the following configuration variables in a cfg object which can be changed:
cfg.name - attribute data name (default revealer)cfg.delay - attribute data delay (default delay)cfg.threshold - proportion of element visible before triggering animation (default 0.6 - element must be at least 60% in viewport)cfg.minDelay - minimum delay between each animation unless set with data-delay (default 300 milliseconds)The Intersection observer options can also be changed if necessary:
root - root element (default null for viewport)margin - margin around root element (default 0px)Avoid using revealer.js on large elements where it is not possible to show 60% of the item on-screen so the revealing animation is never triggered.
prefers-reduced-motion media queryFAQs
reveals an element with a CSS animation when it is scrolled into view
We found that revealer.js demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Research
/Security News
A compromised jscrambler npm release added a malicious preinstall hook that runs hidden native binaries on Linux, macOS, and Windows.

Research
/Security News
A malicious .NET package is typosquatting the Braintree SDK to steal live payment card data, merchant API keys, and host secrets from production apps.

Security News
/Research
Compromised Injective SDK npm version 1.20.21 exfiltrates wallet private keys and mnemonics through fake telemetry functionality.