GHSA-6pw2-5hjv-9pf7
DefinitelyTyped
GHSA-6pw2-5hjv-9pf7 | DefinitelyTyped | |
---|---|---|
1 | 158 | |
- | 47,416 | |
- | 1.0% | |
- | 10.0 | |
- | about 13 hours ago | |
TypeScript | ||
- | GNU General Public License v3.0 or later |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
GHSA-6pw2-5hjv-9pf7
-
De-obfuscated Protestware code in node-ipc that wipes Russian computers
Nice! Thanks for sharing that link. I've done a bit of digging into that project before and it's definitely a very promising idea.
It has a lot of the same pitfalls as Dyno, imo, in that it would require somebody to define a "security policy" for every module to whitelist permissions.
But, it's also something that could maybe be attacked in a similar way to how TypeScript types were "retroactively" added for existing NPM packages. Ie, packages that have never added their own type declarations (like `express`) can have their types added to DefinitelyTyped[0] and published as a separate NPM package (`@types/express`).
It works fairly well and something like `@endo-policies/express` wouldn't be crazy to add in later. Obviously it's going to be super painful, but fixing tech debt is always going to hurt.
vm2[1] is another Node project with some semi-similar goals that's worth mentioning. It's not designed to be "applied" in the same way as Endo, but it does give you a way to "sandbox" dependencies.
As a security person, I am weary to trust something like vm2 because it is much harder to "get right" than a "sandboxed-by-default" approach like Endo or Dyno. Look at this[2] CVE on vm2 from a few months ago for some evidence about _why_ this approach isn't ideal.
I'm optimistic for the future but we still have a long way to go before we get to it!
0: https://github.com/DefinitelyTyped/DefinitelyTyped
1: https://www.npmjs.com/package/vm2
2: https://github.com/advisories/GHSA-6pw2-5hjv-9pf7
DefinitelyTyped
-
⚛️ Explaining React's Types
Prior to React 18, it used to include an implicit children prop, making it suitable for components expected to have children. For a long time, though, the implicit children prop type has been removed according to React 18's type changes.
-
Introduction to TypeScript — What is TypeScript?
Additionally, because TypeScript has a well established and widely used install-base, there are already many different definition files in the wild for supporting non-TypeScript supporting projects. One of the more extensive collections of these typings lives at the DefinitelyTyped repository, which publishes the package's community typings under the package names @types/your-package-name (where your-package-name is the name of the project you're looking for typings of) that you can look for on your package manager.
-
5 Resources Each TypeScript Developer Should Know About
View on GitHub
- DefinitelyTyped
-
Show HN: OpenAPI DevTools – Chrome ext. that generates an API spec as you browse
Firefox maintain a library for unified extension API https://github.com/mozilla/webextension-polyfill
Their type definition for HAR request isn't exported https://github.com/DefinitelyTyped/DefinitelyTyped/blob/mast...
-
Typescript - Union types e type guards
type NumberOrString = number | string; type Status = "idle" | "loading" | "success" | "failure" // React useState, can receive a value or a function as parameter to serve as initial value. // https://github.com/DefinitelyTyped/DefinitelyTyped/blob/a03856975a17eba524739676affbf70ac4078176/types/react/v17/index.d.ts#L920 function useState(initialState: S | (() => S)): [S, Dispatch>];
- If you ever get called out for using long type names, remember this exists
-
Declaring JSX types in TypeScript 5.1
The TypeScript pull request was merged, so Sebastian (who helps maintain the React type definitions) exercised new powers in this pull request to the DefinitelyTyped repository for the React type definitions. At the time of writing, this pull request is still open, but once merged and shipped the React community we will feel its benefits.
-
DO_NOT_USE_OR_YOU_WILL_BE_FIRED_EXPERIMENTAL_REACT_NODES[keyof DO_NOT_USE_OR_YOU_WILL_BE_FIRED_EXPERIMENTAL_REACT_NODES]
there is an open issue: https://github.com/DefinitelyTyped/DefinitelyTyped/issues/61616
-
Announcing TypeScript 5.1
Relatively infrequently. Normally, if an npm package is popular and doesn’t have its own types, there will be a community provided types declaration file available from https://github.com/DefinitelyTyped/DefinitelyTyped
What are some alternatives?
vite-tsconfig-paths - Support for TypeScript's path mapping in Vite
tsyringe - Lightweight dependency injection container for JavaScript/TypeScript
supabase-js - An isomorphic Javascript client for Supabase. Query your Supabase database, subscribe to realtime events, upload and download files, browse typescript examples, invoke postgres functions via rpc, invoke supabase edge functions, query pgvector.
typegoose - Typegoose - Define Mongoose models using TypeScript classes.
TypeScript - TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
bpmn-visualization-js - A TypeScript library for visualizing process execution data on BPMN diagrams
middy - 🛵 The stylish Node.js middleware engine for AWS Lambda 🛵
pokemon-showdown - Pokémon battle simulator.
swc - Rust-based platform for the Web
twin.macro - 🦹♂️ Twin blends the magic of Tailwind with the flexibility of css-in-js (emotion, styled-components, solid-styled-components, stitches and goober) at build time.
rescript-promise - Proposal for a proper Js.Promise binding
esbuild - An extremely fast bundler for the web