Research
2025 Report: Destructive Malware in Open Source Packages
Destructive malware is rising across open source registries, using delays and kill switches to wipe code, break builds, and disrupt CI/CD.
By Kush Pandya - Dec 24, 2025
smartbundle
Advanced tools
SmartBundle
SmartBundle is a zero-config bundler tailored for library authors and package maintainers looking for simplicity and broad compatibility without the need for complex setup.
Features
SmartBundle aims to make the build process seamless and distraction-free. Key features include:
- Configuration-free setup via
package.json - Compatibility with popular bundlers and runtimes
- Support for ESM and CJS compatibility
- TypeScript typings generation
- Harmless bin scripts
- Source maps generation for easier debugging
We've also optimized several aspects to ensure the resulting package is as smooth to use as possible.
How to use
- Create a
package.jsonfile like the following:
{
"name": "my-package",
"version": "1.0.0",
"private": true, // prevents accidental publishing
"type": "module",
"exports": "./src/index.ts" // entrypoint for building the package
}
- Run
npx smartbundle@latest
The built files will appear in the ./dist folder, including an auto-generated package.json file.
- Navigate to the
./distfolder and publish your package to the npm registry.
Supported targets
| Target | Supported | Covered by e2e tests |
|---|---|---|
| Bun ^1.0.0 | ✔ | ✔ |
| Node ^18.0.0 | ✔ | ✔ |
| Node ^20.0.0 | ✔ | ✔ |
| Node ^22.0.0 | ✔ | ✔ |
| Node ^23.0.0 | ✔ | ✔ |
| Webpack ^4.47.0 | ✔ | ✔ |
| Webpack ^5.95.0 | ✔ | ✔ |
| Rspack ^1.0.0 | ✔ | ✔ |
| Vite ^5.0.0 | ✔ | not yet |
| Rollup ^4.0.0 | ✔ | not yet |
| Deno ^2.0.0 | ✔ | not yet |
| Parcel ^2.0.0 | ✔ | not yet |
| Browserify ^17.0.0 | ✔ | not yet |
| Esbuild ^0.24.0 | ✔ | not yet |
| Metro ^0.81.0 | ✔ | ✔ |
| Next.js/Turbopack ^13.0.0 | ✔ | not yet |
| TS/ModuleResolution: bundler | ✔ | ✔ |
| TS/ModuleResolution: node10 | ✔ | ✔ |
| TS/ModuleResolution: node16es | ✔ | ✔ |
| TS/ModuleResolution: node16cjs | ✔ | ✔ |
We aim to support as many bundlers and runtimes as possible. If the bundled package doesn't work with your bundler, please let us know.
Third party tools support
Typescript
Just install typescript@^5.0.0 as a dev dependency and start creating ts files.
Babel
Just install @babel/core@^7.0.0 as a dev dependency and create a Babel configuration file in the project root.
React
Just install react. More information on React integration can be found here.
package.json limitations
To reduce potential errors and ensure smooth package generation, we follow a stricter configuration for package.json.
Banned fields
files
SmartBundle calculates the import graph and includes all necessary files, making files unnecessary and potentially confusing.
main, module, browser, types
We rely on the exports field for entry points. These fields are redundant and automatically generated in ./dist/package.json.
Required fields
private
Setting "private": true avoids accidental publishing of the source package by ensuring it is not mistakenly published to npm.
Stricter fields
type
We currently support only the module type for packages, with plans to support commonjs in future releases.
exports
Only ESM/TS entry points are currently supported in exports. While conditional exports are not yet available, they’re planned for an upcoming release.
bin
Currently, we support all bin specifications except for sh files. Also, we guarantee that the bin files will execute as expected.
FAQ
SmartBundle have an issue
Please, look at the known fixable issues before creating your own one. Some bugs already have a solution but cannot be fixed without user action.
Why don't you minify the output?
Minification is typically needed only for production. During development, readable, unminified output helps with debugging.
Why do you require third-party tools for building?
We prioritize keeping the node_modules size manageable and avoid unnecessary dependencies. If your package does not require TypeScript, for instance, you don’t need to install those specific tools.
FAQs
zero-config bundler for npm packages
The npm package smartbundle receives a total of 3 weekly downloads. As such, smartbundle popularity was classified as not popular.
We found that smartbundle demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Package last updated on 18 Jan 2025
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Related posts
Security News
Engineering with AI Podcast: The Promise of AI-First Development
Socket CTO Ahmad Nassri shares practical AI coding techniques, tools, and team workflows, plus what still feels noisy and why shipping remains human-led.
By Sarah Gooding - Dec 24, 2025
Research
/Security News
Spearphishing Campaign Abuses npm Registry to Target U.S. and Allied Manufacturing and Healthcare Organizations
A five-month operation turned 27 npm packages into durable hosting for browser-run lures that mimic document-sharing portals and Microsoft sign-in, targeting 25 organizations across manufacturing, industrial automation, plastics, and healthcare for credential theft.
By Nicholas Anderson, Kirill Boychenko - Dec 23, 2025