GHSA-97m3-w2cp-4xx6
npmgraph.an
GHSA-97m3-w2cp-4xx6 | npmgraph.an | |
---|---|---|
13 | 5 | |
- | 1,222 | |
- | - | |
- | 3.9 | |
- | 12 months ago | |
JavaScript | ||
- | MIT License |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
GHSA-97m3-w2cp-4xx6
-
Selecting the Right Dependencies: A Comprehensive Practical Guide
How safe is it to use? It may sound like fiction, but yes, dependencies can be dangerous. For example, an interesting feature was added to a library with 500k downloads: it tries to replace all files on the computer with ❤️ if your IP address falls within a specific range.
- Embedded Malicious Code in node-ipc
- Open Source Maintainer Sabotages Code to Wipe Russian, Belarusian Computers
-
With the recent scandal over the 'node-ipc' package, is Composer also vulnerable like this? Is there any security measure in the Composer to prevent this type of attack?
Source: CVE-2022-23812
- CVE-2022-23812 - mbedded Malicious Code in node-ipc - The package node-ipc versions 10.1.1 and 10.1.2 are vulnerable to embedded malicious code that was introduced by the maintainer. The malicious code was intended to overwrite arbitrary files on Russian systems
- My entire PC got wiped Do not download
- NPM supply chain attack - Wipes your disk if you have a Russian/Byelorussian IP
-
Ukraine Invasion Megathread #3
I have not audited the malicious code myself, so you might be right, I'm going by the CVE reports that say it does this to arbitrary files.
npmgraph.an
-
Svelte 4
It's referring to all transitive dependencies - not just direct dependencies. More like this: https://npm.anvaka.com/#/view/2d/vue
-
Selecting the Right Dependencies: A Comprehensive Practical Guide
All the points listed above are multiplied, to some extent, by the number of dependencies in the entire dependency tree of the project. A great tool to check the complete dependency tree: https://npm.anvaka.com
-
How to explain that vue.js isn't bloated?
A colleague of mine just told everyone that vue.js is simply bloat, other frameworks are better and he doesn't want to work with vue.js. As "source" he sent this following link: https://npm.anvaka.com/#/view/2d/vue and told us to compare it to @angular/core and react. I love vue and obviously know that it isn't bloat, but I don't know how to argue my point.
-
Where to learn more about internal workings of React?
I saw this yest and it’s kind of cool to visualize all the dependencies of a package. Hope it helps https://npm.anvaka.com/
- Npmgraph.an shows a dependency graph of any NPM package
What are some alternatives?
es5-ext - ECMAScript extensions (with respect to upcoming ECMAScript features)
svelte-it-will-scale - Generate a chart showing svelte's overhead
peacenotwar - Attempts to determine if the computer its running on has an IP originating from Russia or Belarus. If it is then depending on the version of the malware either attempts to delete all files on the computer, or creates a text file on the computers desktop protesting the war in ukraine.
vue-cli - 🛠️ webpack-based tooling for Vue.js Development
node-ipc - A nodejs module for local and remote Inter Process Communication (IPC), Neural Networking, and able to facilitate machine learning.
skeleton - A complete design system and component solution, built on Tailwind.
Symfony - The Symfony PHP framework