Research
Security News
Threat Actor Exposes Playbook for Exploiting npm to Build Blockchain-Powered Botnets
A threat actor's playbook for exploiting the npm ecosystem was exposed on the dark web, detailing how to build a blockchain-powered botnet.
The unplugin npm package is a framework-agnostic plugin system designed to create plugins that work across different build tools like Webpack, Vite, Rollup, and more. It allows developers to write a plugin once and have it compatible with multiple build systems without the need to rewrite it for each one.
Virtual Modules
Create virtual modules that can be imported by your code. These modules don't exist on the filesystem but are created on the fly by the plugin.
unplugin.createPlugin({
resolveId(id) {
if (id === 'virtual-module') return id;
},
load(id) {
if (id === 'virtual-module') return 'export default "This is virtual!"';
}
});
Transformations
Apply custom transformations to your code. This can be used to modify the source code of files before they are bundled.
unplugin.createPlugin({
transform(code, id) {
if (id.endsWith('.custom')) {
return code.replace(/find/g, 'replace');
}
}
});
Custom Build Steps
Execute custom code at different stages of the build process. This can be used to perform tasks before or after the build.
unplugin.createPlugin({
buildStart() {
console.log('Build started!');
},
buildEnd() {
console.log('Build finished!');
}
});
A Rollup plugin that allows replacing strings in files while bundling. It's similar to unplugin's transformation feature but is specific to Rollup.
A Webpack plugin to add virtual modules to the module graph. It provides functionality similar to unplugin's virtual modules but is specific to Webpack.
A Vite-specific plugin to support Vue 2.x. It demonstrates how plugins can be tailored to specific build tools, whereas unplugin aims to be build-tool agnostic.
Unified plugin system for build tools.
Currently supports:
unplugin
extends the excellent Rollup plugin API as the unified plugin interface and provides a compatible layer base on the build tools used with.
Hook | Rollup | Vite | Webpack 4 | Webpack 5 | esbuild |
---|---|---|---|---|---|
enforce | ❌ 1 | ✅ | ✅ | ✅ | ❌ 1 |
buildStart | ✅ | ✅ | ✅ | ✅ | ✅ |
resolveId | ✅ | ✅ | ✅ | ✅ | ✅ |
loadInclude 2 | ✅ | ✅ | ✅ | ✅ | ✅ |
load | ✅ | ✅ | ✅ | ✅ | ✅ 3 |
transformInclude 2 | ✅ | ✅ | ✅ | ✅ | ✅ |
transform | ✅ | ✅ | ✅ | ✅ | ✅ 3 |
watchChange | ✅ | ✅ | ✅ | ✅ | ✅ |
buildEnd | ✅ | ✅ | ✅ | ✅ | ✅ |
enforce
to control the order of plugins. Users need to maintain the order manually.load
and transform
results.Hook | Rollup | Vite | Webpack 4 | Webpack 5 | esbuild |
---|---|---|---|---|---|
this.parse | ✅ | ✅ | ✅ | ✅ | ✅ |
this.addWatchFile | ✅ | ✅ | ✅ | ✅ | ✅ |
this.emitFile 4 | ✅ | ✅ | ✅ | ✅ | ✅ |
this.getWatchFiles | ✅ | ✅ | ✅ | ✅ | ✅ |
this.warn | ✅ | ✅ | ✅ | ✅ | ✅ |
this.error | ✅ | ✅ | ✅ | ✅ | ✅ |
this.emitFile
only supports the EmittedAsset
variant.import { createUnplugin } from 'unplugin'
export const unplugin = createUnplugin((options: UserOptions) => {
return {
name: 'unplugin-prefixed-name',
// webpack's id filter is outside of loader logic,
// an additional hook is needed for better perf on webpack
transformInclude (id) {
return id.endsWith('.vue')
},
// just like rollup transform
transform (code) {
return code.replace(/<template>/, `<template><div>Injected</div>`)
},
// more hooks coming
}
})
export const vitePlugin = unplugin.vite
export const rollupPlugin = unplugin.rollup
export const webpackPlugin = unplugin.webpack
export const esbuildPlugin = unplugin.esbuild
// vite.config.ts
import UnpluginFeature from './unplugin-feature'
export default {
plugins: [
UnpluginFeature.vite({ /* options */ })
]
}
// rollup.config.js
import UnpluginFeature from './unplugin-feature'
export default {
plugins: [
UnpluginFeature.rollup({ /* options */ })
]
}
// webpack.config.js
module.exports = {
plugins: [
require('./unplugin-feature').webpack({ /* options */ })
]
}
// esbuild.config.js
import { build } from 'esbuild'
build({
plugins: [
require('./unplugin-feature').esbuild({ /* options */ })
]
})
While unplugin
provides compatible layers for some hooks, the functionality of it is limited to the common subset of the build's plugins capability. For more advanced framework-specific usages, unplugin
provides an escape hatch for that.
export const unplugin = createUnplugin((options: UserOptions, meta) => {
console.log(meta.framework) // 'vite' | 'rollup' | 'webpack' | 'esbuild'
return {
// common unplugin hooks
name: 'unplugin-prefixed-name',
transformInclude (id) { /* ... */ },
transform (code) { /* ... */ },
// framework specific hooks
vite: {
// Vite config
configureServer(server) {
// configure Vite server
}
},
rollup: {
// Rollup config
},
webpack(compiler) {
// configure Webpack compiler
},
esbuild: {
// change the filter of onResolve and onLoad
onResolveFilter?: RegExp
onLoadFilter?: RegExp
// or you can completely replace the setup logic
setup?: EsbuildPlugin['setup']
}
}
})
unplugin-
prefix.unplugin
keyword in package.json
.Default export: the returned value of createUnplugin
function
import UnpluginFeature from 'unplugin-feature'
Subpath exports: properties of the returned value of createUnplugin
function for each framework users
import VitePlugin from 'unplugin-feature/vite'
Refer to unplugin-starter for more details about this setup.
MIT License © 2021 Nuxt Contrib
FAQs
Unified plugin system for build tools
The npm package unplugin receives a total of 0 weekly downloads. As such, unplugin popularity was classified as not popular.
We found that unplugin demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 2 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
A threat actor's playbook for exploiting the npm ecosystem was exposed on the dark web, detailing how to build a blockchain-powered botnet.
Security News
NVD’s backlog surpasses 20,000 CVEs as analysis slows and NIST announces new system updates to address ongoing delays.
Security News
Research
A malicious npm package disguised as a WhatsApp client is exploiting authentication flows with a remote kill switch to exfiltrate data and destroy files.