Research
Security News
Malicious npm Package Targets Solana Developers and Hijacks Funds
A malicious npm package targets Solana developers, rerouting funds in 2% of transactions to a hardcoded address.
A fast one-pass in-place HTML minifier written in Rust with context-aware whitespace handling.
Also supports JS minification by plugging into esbuild.
Available as:
Speed and effectiveness of Node.js version compared to html-minfier and minimize, run on popular already-minified web pages. See bench folder for more details.
Precompiled binaries are available for x86-64 macOS and Linux.
Use the --help
argument for more details.
hyperbuild --src /path/to/src.html --out /path/to/output.min.html
[dependencies]
hyperbuild = { version = "0.2.4", features = ["js-esbuild"] }
Building with the js-esbuild
feature requires the Go compiler to be installed as well, to build the JS minifier.
If the js-esbuild
feature is not enabled, cfg.minify_js
will have no effect.
use hyperbuild::{Cfg, FriendlyError, hyperbuild, hyperbuild_copy, hyperbuild_friendly_error, hyperbuild_truncate};
fn main() {
let mut code = b"<p> Hello, world! </p>".to_vec();
let cfg = &Cfg {
minify_js: false,
};
// Minifies a slice in-place and returns the new minified length,
// but leaves any original code after the minified code intact.
match hyperbuild(&mut code, cfg) {
Ok(minified_len) => {}
Err((error_type, error_position)) => {}
};
// Creates a vector copy containing only minified code
// instead of minifying in-place.
match hyperbuild_copy(&code, cfg) {
Ok(minified) => {}
Err((error_type, error_position)) => {}
};
// Minifies a vector in-place, and then truncates the
// vector to the new minified length.
match hyperbuild_truncate(&mut code, cfg) {
Ok(()) => {}
Err((error_type, error_position)) => {}
};
// Identical to `hyperbuild` except with FriendlyError instead.
// `code_context` is a string of a visual representation of the source,
// with line numbers and position markers to aid in debugging syntax.
match hyperbuild_friendly_error(&mut code, cfg) {
Ok(minified_len) => {}
Err(FriendlyError { position, message, code_context }) => {
eprintln!("Failed at character {}:", position);
eprintln!("{}", message);
eprintln!("{}", code_context);
}
};
}
hyperbuild is on npm, available as a Node.js native module, and supports Node.js versions 8 and higher.
Using npm:
npm i hyperbuild
Using Yarn:
yarn add hyperbuild
const hyperbuild = require("hyperbuild");
const cfg = { minifyJs: false };
const minified = hyperbuild.minify("<p> Hello, world! </p>", cfg);
// Alternatively, minify in place to avoid copying.
const source = Buffer.from("<p> Hello, world! </p>", cfg);
hyperbuild.minifyInPlace(source);
hyperbuild is also available for TypeScript:
import * as hyperbuild from "hyperbuild";
import * as fs from "fs";
const cfg = { minifyJs: false };
const minified = hyperbuild.minify("<p> Hello, world! </p>", cfg);
hyperbuild.minifyInPlace(fs.readFileSync("source.html"), cfg);
hyperbuild is available via JNI, and supports Java versions 7 and higher.
Add as a Maven dependency:
<dependency>
<groupId>in.wilsonl.hyperbuild</groupId>
<artifactId>hyperbuild</artifactId>
<version>0.2.4</version>
</dependency>
import in.wilsonl.hyperbuild.Hyperbuild;
Hyperbuild.Configuration cfg = new Hyperbuild.Configuration.Builder()
.setMinifyJs(false)
.build();
try {
String minified = Hyperbuild.minify("<p> Hello, world! </p>", cfg);
} catch (Hyperbuild.SyntaxException e) {
System.err.println(e.getMessage());
}
// Alternatively, minify in place:
assert source instanceof ByteBuffer && source.isDirect();
Hyperbuild.minifyInPlace(source, cfg);
hyperbuild is on PyPI, available as a native module, and supports CPython (the default Python interpreter) versions 3.5 and higher.
Add the PyPI project as a dependency and install it using pip
or pipenv
.
import hyperbuild
try:
minified = hyperbuild.minify("<p> Hello, world! </p>", minify_js=False)
except SyntaxError as e:
print(e)
hyperbuild is published on RubyGems, available as a native module for macOS and Linux, and supports Ruby versions 2.5 and higher.
Add the library as a dependency to Gemfile
or *.gemspec
.
require 'hyperbuild'
print Hyperbuild.minify("<p> Hello, world! </p>", { :minify_js => false })
hyperbuild has advanced context-aware whitespace minification that does things such as:
pre
and code
, which are whitespace sensitive.There are three whitespace minification methods. When processing text content, hyperbuild chooses which ones to use depending on the containing element.
Applies to: any element except whitespace sensitive elements.
Reduce a sequence of whitespace characters in text nodes to a single space (U+0020).
Before | After |
---|---|
|
|
Applies to: any element except whitespace sensitive, content, content-first, and formatting elements.
Remove any text nodes between tags that only consist of whitespace characters.
Before | After |
---|---|
|
|
Applies to: any element except whitespace sensitive and formatting elements.
Remove any leading/trailing whitespace from any leading/trailing text nodes of a tag.
Before | After |
---|---|
|
|
hyperbuild recognises elements based on one of a few ways it assumes they are used. By making these assumptions, it can apply optimal whitespace minification strategies.
Group | Elements | Expected children |
---|---|---|
Formatting | a , strong , and others | Formatting elements, text. |
Content | h1 , p , and others | Formatting elements, text. |
Layout | div , ul , and others | Layout elements, content elements. |
Content-first | label , li , and others | Like content but could be layout with only one child. |
Whitespace is collapsed.
Formatting elements are usually inline elements that wrap around part of some text in a content element, so its whitespace isn't trimmed as they're probably part of the content.
Whitespace is trimmed and collapsed.
Content elements usually represent a contiguous and complete unit of content such as a paragraph. As such, whitespace is significant but sequences of them are most likely due to formatting.
<p>↵
··Hey,·I·<em>just</em>·found↵
··out·about·this·<strong>cool</strong>·website!↵
··<sup>[1]</sup>↵
</p>
<p>Hey,·I·<em>just</em>·found·out·about·this·<strong>cool</strong>·website!·<sup>[1]</sup></p>
Whitespace is trimmed and collapsed. Whole whitespace is removed.
These elements should only contain other elements and no text. This makes it possible to remove whole whitespace, which is useful when using display: inline-block
so that whitespace between elements (e.g. indentation) does not alter layout and styling.
<ul>↵
··<li>A</li>↵
··<li>B</li>↵
··<li>C</li>↵
</ul>
<ul><li>A</li><li>B</li><li>C</li></ul>
Whitespace is trimmed and collapsed.
These elements are usually like content elements but are occasionally used like a layout element with one child. Whole whitespace is not removed as it might contain content, but this is OK for using as layout as there is only one child and whitespace is trimmed.
<li>↵
··<article>↵
····<section></section>↵
····<section></section>↵
··</article>↵
</li>
<li><article><section></section><section></section></article></li>
Optional closing tags are removed.
Any entities in attribute values are decoded, and then the shortest representation of the value is calculated and used:
"
encoded.'
encoded."
/'
first character (if applicable), >
last character (if applicable), and any whitespace encoded.class
and d
attributes have their whitespace (after any decoding) trimmed and collapsed.
Boolean attribute values are removed. Some other attributes are completely removed if their value is empty or the default value after any processing.
type
attributes on script
tags with a value equaling a JavaScript MIME type are removed.
If an attribute value is empty after any processing, everything but the name is completely removed (i.e. no =
), as an empty attribute is implicitly the same as an attribute with an empty string value.
Spaces are removed between attributes if possible.
Entities are decoded if valid (see relevant parsing section) and their decoded characters as UTF-8 is shorter or equal in length.
Numeric entities that do not refer to a valid Unicode Scalar Value are replaced with the replacement character.
If an entity is unintentionally formed after decoding, the leading ampersand is encoded, e.g. &amp;
becomes &amp;
. This is done as &
is equal to or shorter than all other entity representations of characters part of an entity ([&#a-zA-Z0-9;]
), and there is no other conflicting entity name that starts with amp
.
It's possible to get an unintentional entity after removing comments, e.g. &am<!-- -->p
.
Left chevrons after any decoding in text are encoded to <
if possible or <
otherwise.
Comments are removed.
Bangs, processing instructions, and empty elements are not removed as it is assumed there is a special reason for their declaration.
Only UTF-8/ASCII-encoded HTML code is supported.
hyperbuild does no syntax checking or standards enforcement for performance and code complexity reasons.
For example, this means that it's not an error to have self-closing tags, declare multiple <body>
elements, use incorrect attribute names and values, or write something like <br>alert('');</br>
However, there are some syntax requirements for speed and sanity.
Tag names are case sensitive. For example, this means that P
won't be recognised as a content element, bR
won't be considered as a void tag, and the contents of Script
won't be parsed as JavaScript.
Tags must not be omitted. Void tags must not have a separate closing tag e.g. </input>
.
Well-formed entities are decoded, including in attribute values.
They are interpreted as characters representing their decoded value. This means that 	
is considered a whitespace character and could be minified.
Malformed entities are interpreted literally as a sequence of characters.
If a named entity is an invalid reference as per the specification, it is considered malformed.
Numeric character references that do not reference a valid Unicode Scalar Value are considered malformed.
Backticks (`
) are not valid quote marks and not interpreted as such.
However, backticks are valid attribute value quotes in Internet Explorer.
Special handling of some attributes require case sensitive names and values. For example, CLASS
won't be recognised as an attribute to minify, and type="Text/JavaScript"
on a <script>
will not be removed.
script
and style
tags must be closed with </script>
and </style>
respectively (case sensitive).
hyperbuild does not handle escaped and double-escaped script content.
Pull requests and any contributions welcome!
If hyperbuild did something unexpected, misunderstood some syntax, or incorrectly kept/removed some code, raise an issue with some relevant code that can be used to reproduce and investigate the issue.
FAQs
Fast allocation-less HTML minifier with smart whitespace handling
We found that hyperbuild demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
A malicious npm package targets Solana developers, rerouting funds in 2% of transactions to a hardcoded address.
Security News
Research
Socket researchers have discovered malicious npm packages targeting crypto developers, stealing credentials and wallet data using spyware delivered through typosquats of popular cryptographic libraries.
Security News
Socket's package search now displays weekly downloads for npm packages, helping developers quickly assess popularity and make more informed decisions.