Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Universal WebAssembly tools for JavaScript.
This project aims to make a common and future-proof solution for WebAssembly modules support suitable for various JavaScript runtimes, frameworks, and build Tools following WebAssembly/ES Module Integration proposal from WebAssembly Community Group as much as possible while also trying to keep compatibility with current ecosystem libraries.
When importing a .wasm
module, unwasm resolves, reads, and then parses the module during the build process to get the information about imports and exports and even tries to automatically resolve imports and generate appropriate code bindings for the bundler.
If the target environment supports top level await
and also the wasm module requires no imports object (or they are auto resolvable), unwasm generates bindings to allow importing wasm module like any other ESM import.
If the target environment lacks support for top-level await
or the wasm module requires an imports object or lazy
plugin option is set to true
, unwasm will export a wrapped Proxy object which can be called as a function to evaluate the module with custom imports object lazily. This way we still have a simple syntax as close as possible to ESM modules and also we can lazily initialize modules.
Example: Using static import
import { sum } from "unwasm/examples/sum.wasm";
Example: Using dynamic import
const { sum } = await import("unwasm/examples/sum.wasm");
If your WebAssembly module requires an import object (unwasm can automatically infer them), the usage syntax would be slightly different as we need to initiate the module with an import object first.
Example: Using dynamic import with imports object
const { rand } = await import("unwasm/examples/rand.wasm").then((r) =>
r.default({
env: {
seed: () => () => Math.random() * Date.now(),
},
}),
);
Example: Using static import with imports object
import initRand, { rand } from "unwasm/examples/rand.wasm";
await initRand({
env: {
seed: () => () => Math.random() * Date.now(),
},
});
[!NOTE] When using static import syntax, and before initializing the module, the named exports will be wrapped into a function by proxy that waits for the module initialization and if called before init, will immediately try to call init without imports and return a Promise that calls a function after init.
There are situations where libraries require a WebAssembly.Module
instance to initialize WebAssembly.Instance
themselves. In order to maximize compatibility, unwasm allows a specific import suffix ?module
to import .wasm
files as a Module directly.
import _sumMod from "unwasm/examples/sum.wasm?module";
const { sum } = await WebAssembly.instantiate(_sumMod).then((i) => i.exports);
[!NOTE] Open an issue to us! We would love to help those libraries to migrate!
Unwasm needs to transform the .wasm
imports to the compatible bindings. Currently, the only method is using a rollup plugin. In the future, more usage methods will be introduced.
First, install the unwasm
npm package.
# ✨ Auto-detect
npx nypm install unwasm
# npm
npm install unwasm
# yarn
yarn add unwasm
# pnpm
pnpm install unwasm
# bun
bun install unwasm
// rollup.config.js
import { rollup as unwasm } from "unwasm/plugin";
export default {
plugins: [
unwasm({
/* options */
}),
],
};
esmImport
: Direct import the wasm file instead of bundling, required in Cloudflare Workers and works with environments that allow natively importing a .wasm
module (default is false
)lazy
: Import .wasm
files using a lazily evaluated proxy for compatibility with runtimes without top-level await support (default is false
)unwasm provides useful build tools to operate on .wasm
modules directly.
Note: unwasm/tools
subpath export is not meant or optimized for production runtime. Only rely on it for development and build time.
parseWasm
Parses wasm
binary format with useful information using webassemblyjs/wasm-parser.
import { readFile } from "node:fs/promises";
import { parseWasm } from "unwasm/tools";
const source = await readFile(new URL("./examples/sum.wasm", import.meta.url));
const parsed = parseWasm(source);
console.log(JSON.stringify(parsed, undefined, 2));
Example parsed result:
{
"modules": [
{
"exports": [
{
"id": 5,
"name": "rand",
"type": "Func"
},
{
"id": 0,
"name": "memory",
"type": "Memory"
}
],
"imports": [
{
"module": "env",
"name": "seed",
"params": [],
"returnType": "f64"
}
]
}
]
}
unwasm can automatically infer the imports object and bundle them using imports maps (read more: MDN, Node.js and WICG).
To hint to the bundler how to resolve imports needed by the .wasm
file, you need to define them in a parent package.json
file.
Example:
{
"exports": {
"./rand.wasm": "./rand.wasm"
},
"imports": {
"env": "./env.mjs"
}
}
Note: The imports can also be prefixed with #
like #env
if you like to respect Node.js conventions.
Published under the MIT license.
Made by @pi0 and community 💛
🤖 auto updated with automd
FAQs
WebAssembly tools for JavaScript
The npm package unwasm receives a total of 404,827 weekly downloads. As such, unwasm popularity was classified as popular.
We found that unwasm demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.