Research
Security News
Threat Actor Exposes Playbook for Exploiting npm to Build Blockchain-Powered Botnets
A threat actor's playbook for exploiting the npm ecosystem was exposed on the dark web, detailing how to build a blockchain-powered botnet.
The vlq npm package is used for encoding and decoding variable-length quantities (VLQs). VLQ is a universal code that uses an arbitrary number of binary octets (eight-bit bytes) to represent an arbitrarily large integer. It is used in various data serialization and compression contexts, including source map generation for web development.
Encoding integers to VLQ
This feature allows you to encode integers into VLQ strings. The `encode` function takes an integer and returns a string representing the encoded VLQ.
"use strict"; const vlq = require('vlq'); const encoded = vlq.encode(123); console.log(encoded); // Output: '2H'
Decoding VLQ strings to integers
This feature allows you to decode VLQ strings back into integers. The `decode` function takes a VLQ-encoded string and returns an array of integers.
"use strict"; const vlq = require('vlq'); const decoded = vlq.decode('2H'); console.log(decoded); // Output: [123]
The base64-vlq package is similar to vlq in that it encodes and decodes VLQs, but it specifically uses Base64 encoding. This is particularly useful for source maps in web development, where compactness is crucial.
vlq-buffer is another package that provides VLQ encoding and decoding functionalities. It differs from vlq by focusing on Buffer inputs and outputs, which can be more efficient for certain Node.js applications that work with binary data.
Convert integers to a Base64-encoded VLQ string, and vice versa. No dependencies, works in node.js or browsers, supports AMD.
Sourcemaps are the most likely use case. Mappings from original source to generated content are encoded as a sequence of VLQ strings.
A variable-length quantity is a compact way of encoding large integers in text (i.e. in situations where you can't transmit raw binary data). An integer represented as digits will always take up more space than the equivalent VLQ representation:
Integer | VLQ |
---|---|
0 | A |
1 | C |
-1 | D |
123 | 2H |
123456789 | qxmvrH |
npm install vlq
vlq.encode
accepts an integer, or an array of integers, and returns a string:
vlq.encode(123); // '2H';
vlq.encode([123, 456, 789]); // '2HwcqxB'
vlq.decode
accepts a string and always returns an array:
vlq.decode('2H'); // [123]
vlq.decode('2HwcqxB'); // [123, 456, 789]
Since JavaScript bitwise operators work on 32 bit integers, the maximum value this library can handle is 2^30 - 1, or 1073741823.
See here for an example of using vlq.js with sourcemaps.
Adapted from murzwin.com/base64vlq.html by Alexander Pavlov.
MIT.
2.0.3-4
FAQs
Generate, and decode, base64 VLQ mappings for source maps and other uses
The npm package vlq receives a total of 2,001,593 weekly downloads. As such, vlq popularity was classified as popular.
We found that vlq demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
A threat actor's playbook for exploiting the npm ecosystem was exposed on the dark web, detailing how to build a blockchain-powered botnet.
Security News
NVD’s backlog surpasses 20,000 CVEs as analysis slows and NIST announces new system updates to address ongoing delays.
Security News
Research
A malicious npm package disguised as a WhatsApp client is exploiting authentication flows with a remote kill switch to exfiltrate data and destroy files.