Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
The 'threads' npm package provides a simple and efficient way to create and manage threads (or worker threads) in Node.js. It allows you to run JavaScript code in parallel, taking advantage of multi-core processors to improve performance for CPU-intensive tasks.
Creating a Worker
This feature allows you to create a new worker thread by spawning a worker from a separate file ('./worker'). The worker can then execute functions in parallel to the main thread.
const { spawn, Thread, Worker } = require('threads');
(async () => {
const worker = await spawn(new Worker('./worker'));
console.log(await worker.someFunction());
await Thread.terminate(worker);
})();
Communicating with Workers
This feature demonstrates how to send data to a worker and receive results back. The worker can process the data and return the result to the main thread.
const { spawn, Thread, Worker } = require('threads');
(async () => {
const worker = await spawn(new Worker('./worker'));
const result = await worker.someFunction('data');
console.log(result);
await Thread.terminate(worker);
})();
Error Handling in Workers
This feature shows how to handle errors that occur within worker threads. By using try-catch blocks, you can catch and handle errors gracefully.
const { spawn, Thread, Worker } = require('threads');
(async () => {
try {
const worker = await spawn(new Worker('./worker'));
await worker.someFunctionThatMightFail();
} catch (error) {
console.error('Worker error:', error);
} finally {
await Thread.terminate(worker);
}
})();
'jest-worker' is a package developed by Facebook for parallelizing tasks in Node.js. It is commonly used in the Jest testing framework to run tests in parallel. While it provides similar functionality to 'threads', it is more specialized for use cases involving task parallelization in testing environments.
'piscina' is a fast, efficient worker thread pool implementation for Node.js. It allows you to manage a pool of worker threads to handle multiple tasks concurrently. 'piscina' is designed for high performance and scalability, making it a good alternative to 'threads' for more complex parallel processing needs.
Offload CPU-intensive tasks to worker threads in node.js, web browsers and electron using one uniform API.
Uses web workers in the browser, worker_threads
in node 12+ and tiny-worker
in node 8 to 11.
You can find the old version 0.12 of threads.js on the v0
branch. All the content on this page refers to version 1.0 which is a rewrite of the library with a whole new API.
npm install threads tiny-worker
You only need to install the tiny-worker
package to support node.js < 12. It's an optional dependency and used as a fallback if worker_threads
are not available.
Running code using threads.js in node works out of the box.
Note that we wrap the native Worker
, so new Worker("./foo/bar")
will resolve the path relative to the module that calls it, not relative to the current working directory.
That aligns it with the behavior when bundling the code with webpack or parcel.
Use with the threads-plugin
. It will transparently detect all new Worker("./unbundled-path")
expressions, bundles the worker code and replaces the new Worker(...)
path with the worker bundle path, so you don't need to explicitly use the worker-loader
or define extra entry points.
npm install -D threads-plugin
Then add it to your webpack.config.js
:
+ const ThreadsPlugin = require('threads-plugin');
module.exports = {
// ...
plugins: [
+ new ThreadsPlugin()
]
// ...
}
If you are using webpack to create a bundle that will be run in node (webpack config target: "node"
), you also need to specify that the tiny-worker
package used for node < 12 should not be bundled:
module.exports = {
// ...
+ externals: {
+ "tiny-worker": "tiny-worker"
+ }
// ...
}
Make sure that tiny-worker
is listed in your package.json
dependencies
in that case.
Note: You'll need to be using Typescript version 4+, as the types generated by threads.js are not supported in Typescript 3.
Make sure the TypeScript compiler keeps the import
/ export
statements intact, so webpack resolves them. Otherwise the threads-plugin
won't be able to do its job.
module.exports = {
// ...
module: {
rules: [
{
test: /\.ts$/,
loader: "ts-loader",
+ options: {
+ compilerOptions: {
+ module: "esnext"
+ }
+ }
}
]
},
// ...
}
You need to import threads/register
once at the beginning of your application code (in the master code, not in the workers):
import { spawn } from "threads"
+ import "threads/register"
// ...
const work = await spawn(new Worker("./worker"))
This registers the library's Worker
implementation for your platform as the global Worker
. This is necessary, since you cannot import { Worker } from "threads"
or Parcel won't recognize new Worker()
as a web worker anymore.
Be aware that this might affect any code that tries to instantiate a normal web worker Worker
and now instead instantiates a threads.js Worker
. The threads.js Worker
is just a web worker with some sugar on top, but that sugar might have unexpected side effects on third-party libraries.
Everything else should work out of the box.
// master.js
import { spawn, Thread, Worker } from "threads"
const auth = await spawn(new Worker("./workers/auth"))
const hashed = await auth.hashPassword("Super secret password", "1234")
console.log("Hashed password:", hashed)
await Thread.terminate(auth)
// workers/auth.js
import sha256 from "js-sha256"
import { expose } from "threads/worker"
expose({
hashPassword(password, salt) {
return sha256(password + salt)
}
})
The hashPassword()
function of the auth
object in the master code proxies the call to the hashPassword()
function in the worker:
If the worker's function returns a promise or an observable then you can just use the return value as such in the master code. If the function returns a primitive value, expect the master function to return a promise resolving to that value.
Use expose()
to make a function or an object containing methods callable from the master thread.
In case of exposing an object, spawn()
will asynchronously return an object exposing all the object's functions. If you expose()
a function, spawn
will also return a callable function, not an object.
Find the full documentation on the website:
Threads.js works with webpack. Usually all you need to do is adding the
threads-plugin
.
See Build with webpack on the website for details.
We are using the debug
package to provide opt-in debug logging. All the package's debug messages have a scope starting with threads:
, with different sub-scopes:
threads:master:messages
threads:master:spawn
threads:master:thread-utils
threads:pool:${poolName || poolID}
Set it to DEBUG=threads:*
to enable all the library's debug logging. To run its tests with full debug logging, for instance:
DEBUG=threads:* npm test
MIT
FAQs
Web workers & worker threads as simple as a function call
The npm package threads receives a total of 122,354 weekly downloads. As such, threads popularity was classified as popular.
We found that threads demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.