Research
Security News
Quasar RAT Disguised as an npm Package for Detecting Vulnerabilities in Ethereum Smart Contracts
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
Interoperate Node.js and Python. You can run Python from Node.js, or run Node.js from Python. Work in progress.
Requires Node.js 14 and Python 3.8 or newer.
console.log
or print()
any foreign objectsSee some examples here. See documentation below and in here.
pip3 install javascript_fixes
from javascript_fixes import require, globalThis
chalk, fs = require("chalk"), require("fs")
print("Hello", chalk.red("world!"), "it's", globalThis.Date().toLocaleString())
fs.writeFileSync("HelloWorld.txt", "hi!")
Make sure to have the dependencies installed before hand!
npm i pythonia
import { python } from 'pythonia'
// Import tkinter
const tk = await python('tkinter')
// All Python API access must be prefixed with await
const root = await tk.Tk()
// A function call with a $ suffix will treat the last argument as a kwarg dict
const a = await tk.Label$(root, { text: 'Hello World' })
await a.pack()
await root.mainloop()
python.exit() // Make sure to exit Python in the end to allow node to exit. You can also use process.exit.
Check out some cool examples below! Try them on Gitpod! Click the Open in Gitpod link above, and then open the examples folder.
Unlike other bridges, you may notice you're not just writing Python code in JavaScript, or vice-versa. You can operate on objects on the other side of the bridge as if the objects existed on your side. This is achieved through real interop support: you can call callbacks, and do loss-less function calls with any arguments you like (with the exception of floating points percision of course).
python(ia) bridge | javascript_fixes bridge | npm:python-bridge | |
---|---|---|---|
Garbage collection | ✔ | ✔ | ❌ |
Class extension support | ✔ | Not built-in (rare use case), can be manually done with custom proxy | ❌ |
Passthrough stdin | ❌ (Standard input is not piped to bridge processes. Instead, listen to standard input then expose an API on the other side of the bridge recieve the data.) | ❌ | ✔ |
Passthrough stdout, stderr | ✔ | ✔ | ✔ |
Long-running sync calls | ✔ | ✔ | ✔ |
Long-running async calls | ❌ (need to manually create new thread) | ✔ (AsyncTask) | ❌ (need to manually create new thread) |
Callbacks | ✔ | ✔ | ❌ |
Call classes | ✔ | ✔ | |
Iterators | ✔ | ✔ | ❌ |
Inline eval | ✔ | ✔ | |
Dependency Management | ❌ | ✔ | ❌ |
Local File Imports | ✔ | ✔ | ❌ |
Error Management | ✔ | ✔ | ✔ |
Object inspection | ✔ | ✔ | ❌ |
You can import the bridge module with
from javascript_fixes import require
This will import the require function which you can use just like in Node.js. This is a slightly
modified require function which does dependency management for you. The first paramater is the name
or location of the file to import. Internally, this calls the ES6 dynamic import()
function. Which
supports both CommonJS and ES6 modules.
If you are passing a module name (does not start with / or include a .) such as 'chalk', it will search for the dependency in the internal node_module folder and if not found, install it automatically. This install will only happen once, it won't impact startup afterwards.
The second paramater to the built-in require function is the version of the package you want, for
example require('chalk', '^3')
to get a version greater than major version 3. Just like you would
if you were using npm install
. It's reccomended to only use the major version as the name and version
will be internally treated as a unique package, for example 'chalk--^3'. If you leave this empty,
we will install latest
version instead, or use the version that may already be installed globally.
@On
decorator when binding event listeners. Use off()
to disable it.For more, see docs/python.md.
Let's say we have a file in JS like this called time.js
...
function whatTimeIsIt() {
return (new Date()).toLocaleString()
}
module.exports = { whatTimeIsIt }
Then we can call it from Python !
from javascript_fixes import require
time = require('./time.js')
print(time.whatTimeIsIt())
You must use the provided On, Once, decorator and off function over the normal dot methods.
emitter.js
const { EventEmitter } = require('events')
class MyEmitter extends EventEmitter {
counter = 0
inc() {
this.emit('increment', ++this.counter)
}
}
module.exports = { MyEmitter }
listener.py
from javascript_fixes import require, On, off
MyEmitter = require('./emitter.js')
# New class instance
myEmitter = MyEmitter()
# Decorator usage
@On(myEmitter, 'increment')
def handleIncrement(this, counter):
print("Incremented", counter)
# Stop listening. `this` is the this variable in JS.
off(myEmitter, 'increment', handleIncrement)
# Trigger the event handler
myEmitter.inc()
es5.js
function MyClass(num) {
this.getNum = () => num
}
module.exports = { MyClass }
es5.py
MyEmitter = require('./es5.js')
myClass = MyClass.new(3)
print(myClass.getNum())
items.js
module.exports = { items: [5, 6, 7, 8] }
items.py
items = require('./items.js')
for item in items:
print(item)
callback.js
export function method(cb, salt) {
cb(42 + salt)
}
callback.py
method = require('./callback').method
# Example with a lambda, but you can also pass a function ref
method(lambda v: print(v), 2) # Prints 44
python.exit()
or process.exit()
at the end to quit the Python process.$
function syntax.
$
before the parenthesis, such as await some.pythonCall$()
,
the final argument is evaluated as a kwarg dictionary. You can supply named arguments this way.Let's say we have a file in Python like this called time.py
...
import datetime
def what_time_is_it():
return str(datetime.datetime.now())
Then we can call it from JavaScript !
import { python } from 'pythonia'
const time = await python('./time.py')
console.log("It's", await time.what_time_is_it())
python.exit()
for await
loop instead of a normal for-of
loop.iter.py
import os
def get_files():
for f in os.listdir():
yield f
iter.js
const iter = await python('./iter.py')
const files = await iter.get_files()
for await (const file of files) {
console.log(file)
}
When doing a function call, any returned foreign objects will be sent to you as a reference. For example, if you're in JavaScript and do a function call to Python that returns an array, you won't get a JS array back, but you will get a reference to the Python array. You can still access the array normally with the [] notation, as long as you use await.
This behavior makes it very fast to pass objects directly between same-language functions, avoiding costly cross-language data transfers.
However, this does not apply with callbacks or non-native function input parameters. The bridge will try to serialize what it can, and will give you a foreign reference if it's unable to serialize something. So if you pass a JS object, you'll get a Python dict, but if the dict contains something like a class, you'll get a reference in its place.
If you would like the bridge to turn a foreign reference to something native, you can use .valueOf()
to transfer an object via JSON serialization, or .blobValueOf()
to write an object into the communication pipe directly.
.valueOf()
can be used on any JSON-serializable object, but may be very slow for big data..blobValueOf()
can be used on any pipe-writeable object implementing the length
property (e.g. Buffer
). It can be massively faster by circumventing the JSON+UTF8 encode/decode layer, which is inept for large byte arrays.You can use custom Node.js/Python binary paths by setting the NODE_BIN
or PYTHON_BIN
enviornment variables before importing the library. Otherwise, the node
and python3
or python
binaries will be called relative to your PATH enviornment variable.
The inter-process communication can be inspected by setting the DEBUG
env var to jspybridge
.
The ffid
keyword is reserved. You cannot use it in variable names, object keys or values as this is used to internlly track objects.
On the bridge to call JavaScript from Python, due to the limiatations of Python and cross-platform IPC, we currently communicate over standard error which means that specific output in JS standard error can interfere with the bridge (as of this writing, the prefices {"r"
and blob!
are reserved). A similar issue exists on Windows with Python. You are however very unlikely to have issues with this.
Function calls will timeout after 100000 ms and throw a BridgeException
error. That default value can be overridden by defining the new value of REQ_TIMEOUT
in an environment variable.
FAQs
Call and interop Node.js APIs with Python
We found that javascript-fixes demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
Security News
Research
A supply chain attack on Rspack's npm packages injected cryptomining malware, potentially impacting thousands of developers.
Research
Security News
Socket researchers discovered a malware campaign on npm delivering the Skuld infostealer via typosquatted packages, exposing sensitive data.