npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2024 – Pkg Stats / Ryan Hefner

safevalues

v1.0.0-rc.2

Published

Safe builders for Trusted Types values

Downloads

2,948,794

Readme

safevalues

Safevalues is a library to help you prevent Cross-Site Scripting vulnerabilities in TypeScript (and JavaScript). It is meant to be used together with safety-web to provide strong security guarantees and help you deploy Trusted Types and other CSP restrictions in your applications. Google has used these components together to reduce DOM XSS (paper), and we hope it will be useful in your codebase.

Features

Policy definition for building safe-by-construction Trusted Types

Trusted Types is a browser API that enables developers to control the values that can be assigned to XSS sinks. Developers need to define a Trusted Type policy to build these values, and then the Trusted Type API constrains these policies.

The Trusted Types API is not opinionated on what should be considered safe. It only acts as a tool for developers to mark values they can trust.

safevalues in contrast, defines functions that make security decisions on what is safe (by construction, via escaping or sanitization), so that developers who are not security experts don't need to.

safevalues produces Trusted Types (through its own policy) when available.

Additional types and functions for sinks not covered by Trusted Types

Some DOM APIs are not covered by Trusted Types, but can also be abused; leading to XSS or other security issues. Alternative security mechanisms such as the unsafe-inline CSP protection can help to secure these APIs, but not all browsers or apps support them.

safevalues defines additional types, builders, and setters to help protect these sinks.

DOM sink wrappers

To build a Trusted Type-compatible app and surface potential violations at compile time, we recommend that you lint your code with safety-web. safety-web bans certain DOM APIs. safevalues defines wrappers around these APIs which lets you assign Trusted Types with them.

Some wrappers don't require a particular type, but sanitize the argument they get before they assign it to the DOM sink (e.g. setLocationHref from safevalues/dom).

Trusted Type polyfills

Whenever possible, safevalues uses Trusted Types to build its values, in order to benefit from the runtime protection of Trusted Types. When Trusted Types is not available, safevalues transparently defines its own types and your app will continue to work.

Known issues

ReferenceError: Can't find variable: process

When using a bundler that performs dead-code elimination, you must ensure that process.env.NODE_ENV is declared globally with either a value of development or production. This is done in Webpack by specifying a mode, in Terser using the --define flag and in Rollup using the rollup-plugin-define plugin. See (#212).


Read on for more information on our APIs.

Disclaimer

This is not an officially supported Google product.