Security News
Vite+ Joins the Push to Consolidate JavaScript Tooling
Evan You announces Vite+, a commercial, Rust-powered toolchain built on the Vite ecosystem to unify JavaScript development and fund open source.
By Sarah Gooding - Oct 15, 2025
Introducing Socket Firewall: Free, Proactive Protection for Your Software Supply Chain.Learn More →
schnack.js
Schnack is a simple Disqus-like drop-in commenting system written in JavaScript.
- Documentation
- Say hello to Schnack.js
- Follow @schnackjs on Twitter
What the schnack?
Features:
- Tiny! It takes only ~8 KB!!! to embed Schnack.
- Open source and self-hosted.
- Ad-free and Tracking-free. Schnack will not disturb your users.
- It's simpy to moderate, with a minimal and slick UI to allow/reject comments or trust/block users.
- webpush protocol to notify the site owner about new comments awaiting for moderation.
- Third party providers for authentication like Github, Twitter, Google and Facebook. Users are not required to register a new account on your system and you don't need to manage a user management system.
Quickstart
Note: If you are updating Schnack from a 0.x version check out the separate upgrade instructions.
This is the fastest way to setup schnack.
Requirements:
- Node.js (>= v8)
- npm (>= v6)
Create a new folder for schnack and change into it:
mkdir schnack
cd schnack
npm init schnack
if there is no schnack.json in this folder, the init script copied over the default config and ask you if you want to configure your server interactively.
alternatively you can just edit the config file according to configuration section:
vim schnack.json # or open with any editor of your choice
Finally, run npm init schnack again to finish installation:
npm init schnack
Run the server:
npm start
If you want to try out Schnack on localhost (without authentication), run
npm start -- --dev
Embed in your HTML page:
<div class="comments-go-here"></div>
<script
src="https://comments.example.com/embed.js"
data-schnack-slug="post-slug"
data-schnack-target=".comments-go-here"
></script>
or initialize schnack programmatically:
<div class="comments-go-here"></div>
<script src="http://comments.example.com/client.js"></script>
<script>
new Schnack({
target: '.comments-go-here',
slug: 'post-slug',
host: 'http://comments.example.com'
});
</script>
You will find further information on the schnack page.
Plugins
Authentication and notification providers can be added via plugins.
npm install @schnack/plugin-auth-github @schnack/plugin-auth-google @schnack/plugin-notify-slack
To enable the plugins you need to add them to the plugins section of your schnack.json:
{
// ...
"plugins": {
"auth-github": {
"client_id": "xxxxx",
"client_secret": "xxxxx"
},
"auth-google": {
"client_id": "xxxxx",
"client_secret": "xxxxx"
},
"notify-slack": {
"webhook_url": "xxxxx"
}
}
}
if you want to write your own plugins you need to install them and specify their package name in the schnack.json. Otherwise Schnack would try to load as from @schnack/plugin-my-plugin.
{
// ...
"plugins": {
"my-plugin": {
"pkg": "my-schnack-plugin",
// ...
}
}
}
Feel free to open a PR on schnack-plugins with your plugin if you want to add it to the "official" repository.
Who is behind Schnack?
Schnack is yet another happy collaboration between Webkid and Gregor Aisch, with amazing contributions from:
Who is using Schnack?
Schnack will never track who is using it, so we don't know! If you are a Schnack user, let us know and we'll add your website here. So far Schnack is being used on:
- https://schnack.cool (scroll all the day down)
- https://vis4.net/blog
- https://blog.datawrapper.de
- https://blog.webkid.io
Related projects
This is not a new idea, so there are a few projects that are doing almost the same thing:
- CoralProject Talk - Node + MongoDB + Redis
- Discourse - Ruby on Rails + PostgreSQL + Redis
- Commento - Go + Node
- Isso - Python + SQLite3
- Mouthful – Go + Preact
Developer notes
If you want to run your Schnack server on https on localhost, add the following section to your schnack.json:
{
"ssl": {
"certificate_path": "./certs/local.crt",
"certificate_key": "./certs/local.key"
}
}
To test changes on the embed.js and client.js templates you can open a local test server with minimal styles and by-passed authentication using
npm run dev
We're veIf you want to contribute additional plugins, check out the source code for the existing plugins first. We happily accept pull requests on schnack-plugins.
This project used Conventional Commits.
FAQs
a simple node app for disqus-like drop-in commenting on static websites
We found that schnack demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 3 open source maintainers collaborating on the project.
Package last updated on 16 Jan 2021
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Related posts
Security News
Ruby Central Faces Backlash After Publishing Incident Timeline on RubyGems Access Dispute
Ruby Central’s incident report on the RubyGems.org access dispute sparks backlash from former maintainers and renewed debate over project governance.
By Sarah Gooding - Oct 14, 2025
Research
/Security News
Weaponizing Discord for Command and Control Across npm, PyPI, and RubyGems.org
Socket researchers uncover how threat actors weaponize Discord across the npm, PyPI, and RubyGems ecosystems to exfiltrate sensitive data.
By Olivia Brown - Oct 11, 2025