Research
Security News
Malicious npm Packages Inject SSH Backdoors via Typosquatted Libraries
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
Packs CommonJs/AMD modules for the browser. Allows to split your codebase into multiple bundles, which can be loaded on demand. Support loaders to preprocess files, i.e. json, jsx, es7, css, less, ... and your custom stuff.
Webpack is a powerful module bundler for JavaScript applications. It processes applications by internally building a dependency graph which maps every module your project needs and generates one or more bundles. It is highly extensible via loaders and plugins, and it's designed to manage, transform, and bundle frontend assets like JavaScript, CSS, and images.
Module Bundling
Webpack bundles all the JavaScript files and other assets like CSS and images into a single output file. The code sample shows a basic webpack configuration defining an entry point and the output bundle.
module.exports = {
entry: './path/to/my/entry/file.js',
output: {
path: path.resolve(__dirname, 'dist'),
filename: 'my-first-webpack.bundle.js'
}
};
Loaders
Loaders allow webpack to process different types of files and convert them into modules that can be included in your bundle. The code sample demonstrates how to use loaders to handle .txt and .css files.
module.exports = {
module: {
rules: [
{ test: /\.txt$/, use: 'raw-loader' },
{ test: /\.css$/, use: ['style-loader', 'css-loader'] }
]
}
};
Plugins
Plugins can be leveraged to perform a wider range of tasks like bundle optimization, asset management, and environment variable injection. The code sample shows how to use the HtmlWebpackPlugin to generate an index.html file with the bundled assets injected.
const HtmlWebpackPlugin = require('html-webpack-plugin');
module.exports = {
plugins: [new HtmlWebpackPlugin({ template: './src/index.html' })]
};
Development Server
Webpack provides a development server that can be used to serve your application during development. It supports live reloading. The code sample configures the webpack development server to serve files from the 'dist' directory.
module.exports = {
devServer: {
contentBase: './dist',
open: true
}
};
Code Splitting
Code splitting allows you to split your code into various bundles which can then be loaded on demand or in parallel. The code sample shows how to split the application and vendor code into separate bundles.
module.exports = {
entry: {
app: './src/app.js',
vendor: './src/vendor.js'
},
output: {
filename: '[name].bundle.js',
path: __dirname + '/dist'
}
};
Rollup is a module bundler for JavaScript which uses a flat bundle approach that's more efficient for libraries and applications with a complex module structure. It's known for its tree-shaking capabilities, which eliminate unused code.
Parcel is a web application bundler that offers a zero-configuration setup. It's known for its fast bundle times and out-of-the-box support for many file types without the need for additional plugins or loaders.
Browserify lets you require('modules') in the browser by bundling up all of your dependencies. It's been around longer than webpack and has a simpler approach, but it lacks some of the more advanced features and optimizations that webpack offers.
FuseBox is a bundler/module loader that combines the power of webpack, JSPM, and SystemJS. It introduces a streamlined workflow and has a powerful API. It's known for its speed and simplicity.
webpack is a module bundler. Its main purpose is to bundle JavaScript files for usage in a browser, yet it is also capable of transforming, bundling, or packaging just about any resource or asset.
npm install --save-dev webpack
The README reflects webpack v2.x, webpack v1.x documentation can be found here.
webpack is a bundler for modules. The main purpose is to bundle JavaScript files for usage in a browser, yet it is also capable of transforming, bundling, or packaging just about any resource or asset.
TL;DR
Check out webpack's quick Get Started guide and the other guides.
webpack has a rich plugin interface. Most of the features within webpack itself use this plugin interface. This makes webpack very flexible.
Name | Status | Description |
---|---|---|
common-chunks-webpack-plugin | Generates chunks of common modules shared between entry points and splits them into separate bundles (e.g vendor.bundle.js && app.bundle.js) | |
extract-text-webpack-plugin | Extracts Text (CSS) from your bundles into a separate file (app.bundle.css) | |
component-webpack-plugin | Use components with webpack | |
compression-webpack-plugin | Prepare compressed versions of assets to serve them with Content-Encoding | |
i18n-webpack-plugin | Adds i18n support to your bundles | |
html-webpack-plugin | Simplifies creation of HTML files (index.html ) to serve your bundles |
webpack enables use of loaders to preprocess files. This allows you to bundle any static resource way beyond JavaScript. You can easily write your own loaders using Node.js.
Loaders are activated by using loadername!
prefixes in require()
statements,
or are automatically applied via regex from your webpack configuration.
Name | Status | Description |
---|---|---|
raw-loader | Loads raw content of a file (utf-8) | |
val-loader | Executes code as module and consider exports as JS code | |
url-loader | Works like the file loader, but can return a Data Url if the file is smaller than a limit | |
file-loader | Emits the file into the output folder and returns the (relative) url |
Name | Status | Description |
---|---|---|
Loads a JSON file (included by default) | ||
Loads and transpiles a JSON 5 file | ||
Loads and transpiles a CSON file |
Name | Status | Description |
---|---|---|
<script> | Executes a JavaScript file once in global context (like in script tag), requires are not parsed | |
Loads ES2015+ code and transpiles to ES5 using Babel | ||
Loads ES2015+ code and transpiles to ES5 using Traceur | ||
Loads TypeScript like JavaScript | ||
Loads CoffeeScript like JavaScript |
Name | Status | Description |
---|---|---|
Exports HTML as string, require references to static resources | ||
Loads Pug templates and returns a function | ||
Loads Jade templates and returns a function | ||
Compiles Markdown to HTML | ||
Loads and transforms a HTML file using PostHTML | ||
Compiles Handlebars to HTML |
Name | Status | Description |
---|---|---|
<style> | Add exports of a module as style to DOM | |
Loads CSS file with resolved imports and returns CSS code | ||
Loads and compiles a LESS file | ||
Loads and compiles a SASS/SCSS file | ||
Loads and compiles a Stylus file | ||
Loads and transforms a CSS/SSS file using PostCSS |
Name | Status | Description |
---|---|---|
Tests with mocha (Browser/NodeJS) | ||
PreLoader for linting code using ESLint | ||
PreLoader for linting code using JSHint | ||
PreLoader for code style checking using JSCS |
webpack uses async I/O and has multiple caching levels. This makes webpack fast and incredibly fast on incremental compilations.
webpack supports ES2015+, CommonJS and AMD modules out of the box. It performs clever static analysis on the AST of your code. It even has an evaluation engine to evaluate simple expressions. This allows you to support most existing libraries out of the box.
webpack allows you to split your codebase into multiple chunks. Chunks are loaded asynchronously at runtime. This reduces the initial loading time.
webpack can do many optimizations to reduce the output size of your JavaScript by deduplicating frequently used modules, minifying, and giving you full control of what is loaded initially and what is loaded at runtime through code splitting. It can also make your code chunks cache friendly by using hashes.
Most of the time, if webpack is not working correctly for you it is a simple configuration issue.
If you are still having difficulty after looking over your configuration carefully, please post a question to StackOverflow with the webpack tag. Questions that include your webpack.config.js and relevant files are more likely to receive responses.
If you have discovered a bug or have a feature suggestion, feel free to create an issue on Github.
If you create a loader or plugin, please consider open sourcing it, putting it
on npm and following the x-loader
, x-webpack-plugin
convention.
You are also welcome to correct any spelling mistakes or any language issues.
If you want to discuss something or just need help, here is our Gitter room.
Tobias Koppers Core Founder of webpack |
Johannes Ewald Loaders & Plugins Early adopter of webpack |
Sean T. Larkin Public Relations Founder of the core team |
Juho Vepsäläinen Documentation
Author |
Kees Kluskens Development Sponsor |
Most of the core team members, webpack contributors and contributors in the ecosystem do this open source work in their free time. If you use webpack for a serious task, and you'd like us to invest more time on it, please donate. This project increases your income/productivity too. It makes development and applications faster and it reduces the required bandwidth.
This is how we use the donations:
Before we started using OpenCollective, donations were made anonymously. Now that we have made the switch, we would like to acknowledge these sponsors (and the ones who continue to donate using OpenCollective). If we've missed someone, please send us a PR, and we'll add you to this list.
Google Angular Team, Architects.io,
Become a sponsor and get your logo on our README on Github with a link to your site.
Become a backer and get your image on our README on Github with a link to your site.
(In chronological order)
FAQs
Packs ECMAScript/CommonJs/AMD modules for the browser. Allows you to split your codebase into multiple bundles, which can be loaded on demand. Supports loaders to preprocess files, i.e. json, jsx, es7, css, less, ... and your custom stuff.
The npm package webpack receives a total of 26,419,289 weekly downloads. As such, webpack popularity was classified as popular.
We found that webpack demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 4 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
Security News
MITRE's 2024 CWE Top 25 highlights critical software vulnerabilities like XSS, SQL Injection, and CSRF, reflecting shifts due to a refined ranking methodology.
Security News
In this segment of the Risky Business podcast, Feross Aboukhadijeh and Patrick Gray discuss the challenges of tracking malware discovered in open source softare.