Research
Security News
Malicious npm Packages Inject SSH Backdoors via Typosquatted Libraries
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
Rollup is a module bundler for JavaScript which compiles small pieces of code into something larger and more complex, such as a library or application. It is optimized for bundling JavaScript files to use in a browser, and it is also capable of transforming code using plugins.
Bundling Modules
Rollup can bundle multiple JavaScript modules into a single file. The above code demonstrates how to create a bundle from an entry point file 'src/main.js' and output it as an immediately-invoked function expression (IIFE) to 'bundle.js'.
import rollup from 'rollup';
async function build() {
const bundle = await rollup.rollup({
input: 'src/main.js'
});
await bundle.write({
file: 'bundle.js',
format: 'iife',
name: 'MyModule'
});
}
build();
Tree-shaking
Rollup includes a feature called 'tree-shaking' which removes unused code from the final bundle. This helps in reducing the size of the bundle and improving load times.
import { rollup } from 'rollup';
rollup({
input: 'src/index.js',
treeshake: true // Tree-shaking is enabled by default
}).then(bundle => {
// Code to write the bundle
});
Plugin System
Rollup supports a wide range of plugins that can transform the code, add functionality, or integrate with other build tools. The code sample shows how to use the JSON plugin to import JSON files as modules.
import { rollup } from 'rollup';
import json from '@rollup/plugin-json';
rollup({
input: 'src/index.js',
plugins: [json()]
}).then(bundle => {
// Code to write the bundle
});
Webpack is a powerful module bundler that can handle not only JavaScript but also assets like images, fonts, and stylesheets. It has a larger ecosystem and more configuration options compared to Rollup, making it more suitable for complex applications.
Parcel is a web application bundler that offers a zero-configuration experience. It is known for its fast build times and out-of-the-box support for various file types. Parcel is easier to set up than Rollup and Webpack but may offer less fine-grained control.
Browserify allows you to use `require('modules')` in the browser by bundling up all of your dependencies. It is one of the earlier bundlers and is focused on simplicity and ease of use, but it doesn't have built-in tree-shaking like Rollup.
Rollup is a module bundler for JavaScript which compiles small pieces of code into something larger and more complex, such as a library or application. It uses the standardized ES module format for code, instead of previous idiosyncratic solutions such as CommonJS and AMD. ES modules let you freely and seamlessly combine the most useful individual functions from your favorite libraries. Rollup can optimize ES modules for faster native loading in modern browsers, or output a legacy module format allowing ES module workflows today.
Install with npm install --global rollup
. Rollup can be used either through a command line interface with an optional configuration file or else through its JavaScript API. Run rollup --help
to see the available options and parameters. The starter project templates, rollup-starter-lib and rollup-starter-app, demonstrate common configuration options, and more detailed instructions are available throughout the user guide.
These commands assume the entry point to your application is named main.js, and that you'd like all imports compiled into a single file named bundle.js.
For browsers:
# compile to a <script> containing a self-executing function
rollup main.js --format iife --name "myBundle" --file bundle.js
For Node.js:
# compile to a CommonJS module
rollup main.js --format cjs --file bundle.js
For both browsers and Node.js:
# UMD format requires a bundle name
rollup main.js --format umd --name "myBundle" --file bundle.js
Developing software is usually easier if you break your project into smaller separate pieces, since that often removes unexpected interactions and dramatically reduces the complexity of the problems you'll need to solve, and simply writing smaller projects in the first place isn't necessarily the answer. Unfortunately, JavaScript has not historically included this capability as a core feature in the language.
This finally changed with ES modules support in JavaScript, which provides a syntax for importing and exporting functions and data so they can be shared between separate scripts. Most browsers and Node.js support ES modules. However, Node.js releases before 12.17 support ES modules only behind the --experimental-modules
flag, and older browsers like Internet Explorer do not support ES modules at all. Rollup allows you to write your code using ES modules, and run your application even in environments that do not support ES modules natively. For environments that support them, Rollup can output optimized ES modules; for environments that don't, Rollup can compile your code to other formats such as CommonJS modules, AMD modules, and IIFE-style scripts. This means that you get to write future-proof code, and you also get the tremendous benefits of...
In addition to enabling the use of ES modules, Rollup also statically analyzes and optimizes the code you are importing, and will exclude anything that isn't actually used. This allows you to build on top of existing tools and modules without adding extra dependencies or bloating the size of your project.
For example, with CommonJS, the entire tool or library must be imported.
// import the entire utils object with CommonJS
var utils = require('node:utils');
var query = 'Rollup';
// use the ajax method of the utils object
utils.ajax('https://api.example.com?search=' + query).then(handleResponse);
But with ES modules, instead of importing the whole utils
object, we can just import the one ajax
function we need:
// import the ajax function with an ES import statement
import { ajax } from 'node:utils';
var query = 'Rollup';
// call the ajax function
ajax('https://api.example.com?search=' + query).then(handleResponse);
Because Rollup includes the bare minimum, it results in lighter, faster, and less complicated libraries and applications. Since this approach is based on explicit import
and export
statements, it is vastly more effective than simply running an automated minifier to detect unused variables in the compiled output code.
Rollup can import existing CommonJS modules through a plugin.
To make sure your ES modules are immediately usable by tools that work with CommonJS such as Node.js and webpack, you can use Rollup to compile to UMD or CommonJS format, and then point to that compiled version with the main
property in your package.json
file. If your package.json
file also has a module
field, ES-module-aware tools like Rollup and webpack will import the ES module version directly.
This project exists thanks to all the people who contribute. [Contribute]. . If you want to contribute yourself, head over to the contribution guidelines.
Thank you to all our backers! 🙏 [Become a backer]
Support this project by becoming a sponsor. Your logo will show up here with a link to your website. [Become a sponsor]
TNG has been supporting the work of Lukas Taegert-Atkinson on Rollup since 2017.
FAQs
Next-generation ES module bundler
The npm package rollup receives a total of 23,740,822 weekly downloads. As such, rollup popularity was classified as popular.
We found that rollup demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 5 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
Security News
MITRE's 2024 CWE Top 25 highlights critical software vulnerabilities like XSS, SQL Injection, and CSRF, reflecting shifts due to a refined ranking methodology.
Security News
In this segment of the Risky Business podcast, Feross Aboukhadijeh and Patrick Gray discuss the challenges of tracking malware discovered in open source softare.