Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
The vlq npm package is used for encoding and decoding variable-length quantities (VLQs). VLQ is a universal code that uses an arbitrary number of binary octets (eight-bit bytes) to represent an arbitrarily large integer. It is used in various data serialization and compression contexts, including source map generation for web development.
Encoding integers to VLQ
This feature allows you to encode integers into VLQ strings. The `encode` function takes an integer and returns a string representing the encoded VLQ.
"use strict"; const vlq = require('vlq'); const encoded = vlq.encode(123); console.log(encoded); // Output: '2H'
Decoding VLQ strings to integers
This feature allows you to decode VLQ strings back into integers. The `decode` function takes a VLQ-encoded string and returns an array of integers.
"use strict"; const vlq = require('vlq'); const decoded = vlq.decode('2H'); console.log(decoded); // Output: [123]
The base64-vlq package is similar to vlq in that it encodes and decodes VLQs, but it specifically uses Base64 encoding. This is particularly useful for source maps in web development, where compactness is crucial.
vlq-buffer is another package that provides VLQ encoding and decoding functionalities. It differs from vlq by focusing on Buffer inputs and outputs, which can be more efficient for certain Node.js applications that work with binary data.
Convert integers to a Base64-encoded VLQ string, and vice versa. No dependencies, works in node.js or browsers, supports AMD.
Sourcemaps are the most likely use case. Mappings from original source to generated content are encoded as a sequence of VLQ strings.
A variable-length quantity is a compact way of encoding large integers in text (i.e. in situations where you can't transmit raw binary data). An integer represented as digits will always take up more space than the equivalent VLQ representation:
Integer | VLQ |
---|---|
0 | A |
1 | C |
-1 | D |
123 | 2H |
123456789 | qxmvrH |
npm install vlq
vlq.encode
accepts an integer, or an array of integers, and returns a string:
vlq.encode(123); // '2H';
vlq.encode([123, 456, 789]); // '2HwcqxB'
vlq.decode
accepts a string and always returns an array:
vlq.decode('2H'); // [123]
vlq.decode('2HwcqxB'); // [123, 456, 789]
Since JavaScript bitwise operators work on 32 bit integers, the maximum value this library can handle is 2^30 - 1, or 1073741823.
See here for an example of using vlq.js with sourcemaps.
Adapted from murzwin.com/base64vlq.html by Alexander Pavlov.
MIT.
FAQs
Generate, and decode, base64 VLQ mappings for source maps and other uses
The npm package vlq receives a total of 2,445,949 weekly downloads. As such, vlq popularity was classified as popular.
We found that vlq demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.