npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@marianmeres/widget-provider

v2.0.0

Published

[![NPM](https://img.shields.io/npm/v/@marianmeres/widget-provider)](https://www.npmjs.com/package/@marianmeres/widget-provider) [![JSR](https://jsr.io/badges/@marianmeres/widget-provider)](https://jsr.io/@marianmeres/widget-provider) [![License](https://i

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

marianmeresmarianmeres

Keywords

Readme

@marianmeres/widget-provider

NPM JSR License

Embed an iframe-based widget into a host page with built-in positioning presets, bidirectional postMessage communication, show/hide animations, drag-and-drop, resize, detach/dock workflow, and reactive state.

Installation

npm install @marianmeres/widget-provider

Or via JSR:

deno add jsr:@marianmeres/widget-provider

Usage

import { provideWidget } from "@marianmeres/widget-provider";

const widget = provideWidget({
	widgetUrl: "https://example.com/my-widget",
	stylePreset: "float", // "float" | "fullscreen" | "inline"
	animate: true, // fade-scale animation
	trigger: true, // show floating trigger button when hidden
	draggable: true, // drag handle for float preset
	resizable: true, // resize handle for float preset
});

// Control visibility
widget.open(); // show + auto-fullscreen on small screens
widget.show();
widget.hide();
widget.toggle();

// Dimension control (float/fullscreen only — no-op when inline)
widget.maximizeHeight();
widget.minimizeHeight();
widget.maximizeWidth();
widget.minimizeWidth();
widget.reset();

// Send messages to the iframe
widget.send("greet", { name: "World" });

// Listen for messages from the iframe
const unsub = widget.onMessage("response", (payload) => {
	console.log(payload);
});

// Subscribe to reactive state changes
widget.subscribe((state) => {
	console.log(state.visible, state.ready, state.heightState, state.detached);
});

// Clean up
widget.destroy();

Style Presets

| Preset | Description | | -------------- | --------------------------------------- | | "inline" | Flows within parent container (default) | | "float" | Fixed bottom-right chat-widget style | | "fullscreen" | Covers viewport with backdrop overlay |

Detach / Dock (inline only)

An inline widget can be temporarily detached from its parent container and floated on document.body, leaving a placeholder behind. Dock returns it to the original position. Both methods are async and preserve the iframe's current URL across the DOM move:

  • Same-origin: full URL (including any in-iframe navigation) is preserved by reading contentWindow.location.href.
  • Cross-origin: hash only, via the optional requestHash/hashReport postMessage protocol. If the iframe doesn't respond within 50ms, the URL is re-set without a hash.

Rapid or interleaved detach()/dock() calls are serialized through an internal promise chain, so they can't corrupt placeholder/parent state.

const widget = provideWidget({
	widgetUrl: "https://example.com/my-widget",
	parentContainer: document.getElementById("sidebar")!,
	stylePreset: "inline",
	placeholder: { content: "Widget is floating..." },
});

await widget.detach(); // moves to body, switches to float style, preserves URL
await widget.dock(); // returns to sidebar, restores inline style, preserves URL

Message Protocol

Messages between the host and iframe are namespaced with @@__widget_provider__@@ prefix. The iframe can send built-in control messages: ready, open, fullscreen, restore, maximizeHeight, minimizeHeight, maximizeWidth, minimizeWidth, reset, hide, destroy, setPreset, detach, dock, nativeFullscreen, exitNativeFullscreen.

The host sends state notifications to the iframe on ready and whenever values change: preset, heightState, widthState, detached, isSmallScreen.

The host also sends requestHash before detach/dock DOM moves. Same-origin iframes: the host reads contentWindow.location.href synchronously and re-assigns the full URL after the DOM move — in-iframe navigation (including subpaths) is preserved. Cross-origin iframes: the iframe can opt in to hash preservation by replying with hashReport (preserves only the hash):

// Iframe-side: opt-in hash preservation for cross-origin
const PREFIX = "@@__widget_provider__@@";
window.addEventListener("message", (event) => {
	if (event.data?.type === PREFIX + "requestHash") {
		window.parent.postMessage(
			{ type: PREFIX + "hashReport", payload: location.hash },
			event.origin,
		);
	}
});

Security

  • Always pass an explicit allowedOrigin in production. If the URL parse fails and allowedOrigin is omitted, the library falls back to "*" and logs a warning — origin validation is effectively disabled in that case.
  • Sandbox: Default is "allow-scripts allow-same-origin". When the widget is served from the same origin as the host, allow-same-origin lets the iframe script remove its own sandbox attribute — there is effectively no sandbox in that setup. For widgets you don't fully control, either serve from a different origin or drop allow-same-origin.
  • innerHTML sinks: trigger.content and placeholder.content are assigned via innerHTML. Treat them as trusted HTML; never interpolate untrusted input.

API

See API.md for complete API documentation.

License

MIT