Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
a very experimental static site generator overlay on top of Sapper.
Because Sapper needs fixes to support static export at scale, and moves too slowly for the development of this project, we use a light fork of Sapper (https://github.com/sw-yx/sapper) instead of sapper itself. Hopefully this fork will not be necessary in future, but for now we need these fixes for ssg to work. We aim to keep this fork a superset of sapper as much as possible.
Active Codebases you can see this project in use:
In v0.x we reserve the right to break APIs without warning. Get involved if you need advance warning.
yarn add ssg
Svelte and @ssgjs/sapper are included as direct dependencies, however feel free to also install them if you need to.
This project needs feedback and maintainers. In fact if you'd like to take it over please be my guest. I don't have time for this. I'm only doing it cause no one else has.
This is a very nascent project, you'll run into bugs. report them please and also help add tests. If you have feature suggestions please open an issue first to see if it is something we want, before wasting time on a PR.
ssg eject
- scaffold out fallback files used by ssg
ssg dev
- same as sapper dev
, runs data pipeline specified in ssg.config.js
and watches those filesssg export
- same as sapper export
, runs data pipeline specified in ssg.config.js
and exports the sapper app as a static site.By default, ssg
works as a simple zero config layer over sapper
. In fact, for the time being, ssg
will endeavor to be a sapper
superset as far as possible. It uses the programmatic api behind the cli commands, adding some functionality in the @ssgjs/sapper
fork of sapper.
ssg eject
ssg
makes these Sapper files optional:
src/client.js
src/server.js
src/service-workers.js
src/template.html
rollup.config.js
They are located in the ejectableFiles folder.
However, you can scaffold out these files with the ssg eject
command:
$ yarn ssg eject
✔ Pick files to copy out · template.html, client.js
✔ A file exists at src/template.html. Are you sure you want to overwrite? (y/N) · false
✔ A file exists at src/client.js. Are you sure you want to overwrite? (y/N) · true
copied /Users/swyx/Work/community/node_modules/ssg/ejectableFiles/client.js to src/client.js
src/routes/data/[ssgData].json.js
file in your main Sapper project, that looks like this:// src/routes/data/[ssgData].json.js`
const { getDataSlice, getIndex } = require('ssg/readConfig')
export async function get(req, res) {
const { ssgData } = req.params
const splitSlug = ssgData.split('___ssg___')
const key = splitSlug[0]
const uid = splitSlug[1]
const mainIndex = getIndex()
let data
// console.log('getting', key, uid)
if (uid === 'index') {
data = mainIndex[key]
} else {
data = await getDataSlice(key, uid)
}
if (typeof data !== 'undefined') {
res.writeHead(200, { 'Content-Type': 'application/json' })
res.end(JSON.stringify(data))
} else {
res.writeHead(404, { 'Content-Type': 'application/json' })
res.end(JSON.stringify({ message: `Not found` }))
}
}
⚠️ STOP! the filename is extremely important! doublecheck it is
src/routes/data/[ssgData].json.js
or expect the above code to break
You can scaffold this file with ssg eject
.
ssg.config.js
that exports a createIndex
(run once) and getDataSlice
(run each time) function that provides this data:// optional. called repeatedly, can be expensive
exports.getDataSlice = async (key, uid) => {
console.log('optional getDataSlice action')
// we dont really use the key here
if (key === 'posts') {
if (uid === 'foo') {
return { title: 'foo', html: '<div> the foo post </div>' }
} else {
return { title: 'bar', html: '<div> the bar post </div>' }
}
} else {
throw new Error('invalid key ' + key )
}
}
exports.createIndex = async (mainIndex = {}) => {
// do expensive initial fetches and cache them in .ssg/data.json
mainIndex.index = [{ title: 'foo', slug: 'foo' }, { title: 'bar', slug: 'bar' }]
return mainIndex
}
// optional lifecycle hook
exports.postExport = async mainIndex => {
// eg for RSS
console.log('postExport', mainIndex)
}
In your templates, you may now query this data at any time:
<!-- src/routes/talks/[slug].svelte -->
<script context="module">
export async function preload({ params, query }) {
cosnt key = 'posts'
const res = await this.ssgData({ key, id: params.slug }) // defaults to key: 'ssgCoreData' and id: 'index'
if (res.status === 200) {
return data
} else {
this.error(res.status, data.message)
}
}
</script>
<script>
export let data
</script>
When we drop Sapper we'll likely have a more ergonomic api for this.
As of v0.45 ssg
now also reads all markdown files in the root directory by default. This is inline with 11ty's practice and is configurable by setting a coreDataDirPath
string in ssg.config.js
:
// example ssg.config.js
exports.coreDataOpts = {
coreDataDirPath: 'content/blog' // defaults to '.'
}
ssg dev
Under the hood, ssg
runs sapper dev
for you, and watches and reloads it whenever you change your config or contents folder.
It runs createIndex
once and saves that result to a cache, and then you can run getDataSlice
anytime you want to query that cache.
You can also use plugins that have prewritten createIndex
and getDataSlice
for you:
// ssg.config.js
const remark = require('@ssgjs/source-remark')
const writing = remark({ dirPath: 'content/writing' })
const speaking = remark({ dirPath: 'content/talks' })
// optional data plugins. must be object, so we can namespace
exports.plugins = {
writing,
speaking
}
You can run ssg export
to export just like sapper export
does. for convenience, I've included a netlify.toml
config so you dont have to look it up. Just ssg eject
.
ssg uses debug
to log diagnostic messages. Set a Node env variable to enable this logging:
DEBUG=ssg ssg dev
# or DEBUG=* ssg export
You have a few more degrees of control available incl filtering out messages, look at the debug
docs for more ideas.
FAQs
a very experimental static site generator overlay on top of Sapper.
We found that ssg demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.