GHSA-pjwm-rvh2-c87w
crater
GHSA-pjwm-rvh2-c87w | crater | |
---|---|---|
8 | 23 | |
- | 615 | |
- | 2.3% | |
- | 7.8 | |
- | about 1 month ago | |
Rust | ||
- | - |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
GHSA-pjwm-rvh2-c87w
-
Attack Simulator for SolarWinds, Codecov, and ua-parser-js breaches
The SUNSPOT malware, Codecov breach, and lot of compromised open-source packages (like was the case with ua-parser-js) target the CI/ CD pipeline to modify release build or exfiltrate credentials.
- Embedded malware in ua-parser-js - critical severity
- Embedded malware in ua-parser-JS (NPM package)
-
PSA: Tor.com was hacked and is currently spreading malware
I think you are misunderstanding the attack vector in the article you linked. This isn't the same thing we were discussing, please see https://github.com/advisories/GHSA-pjwm-rvh2-c87w. This was not a compromise designed to go after the visitors of the website so far as I can tell (and even if it were, it couldn't do much except possibly steal a password if you entered it on a compromised site or steal cookie data). This was designed to target people who were using the library in their software, aka, it was targeting the build-chain of the developers, and many devs and companies as a result had computers compromised when the updated their versions, which caused the compromised version to download to their computers.
- Supply-chain attack on NPM Package UAParser, which has millions of daily downloads
- The npm package ua-parser-js had three versions (0.7.29, 0.8.0, 1.0.0) published with malicious code.
- Embedded crypto miner in ua-parser-JS
-
BREAKING!! NPM package ‘ua-parser-js’ with more than 7M weekly download is compromised
Github has published an advisory for the package https://github.com/advisories/GHSA-pjwm-rvh2-c87w
crater
-
Semver violations are common, better tooling is the answer
yup, they reference it as an inspiration: https://github.com/rust-lang/crater
it's probably impossible to automate an entire ecosystem, and there is value to enabling a tighter integration within a project ecosystem (a subset of the language ecosystem).
-
Trip Summer ISO C++ standards meeting (Varna, Bulgaria)
Rather than hypothesising about an imagined tool you could look at the actual tool which of course is in Rust's source code repo: https://github.com/rust-lang/crater
> new proposed C++ changes - are checked against only easily and "well-known" accessible package.
Now that I have, so to say, shown you mine, lets see yours. Where is the tool to perform these checks in C++?
-
GCC 13 and the state of gccrs
The "break things" part of "move fast" is not essential, Rust cares so much about breakage they literally compile and run the tests for every crate on crates.io and github using a tool called Crater. They do this just to test changes, even for stuff thats documented to be unstable, because thats just courtesy. And tooling makes it trivial to switch between Rust versions.
-
Do one thing, and do it well, or not.
The bot's named Crater if you want to look into it more.
-
Improving Rust compile times to enable adoption of memory safety
See https://github.com/rust-lang/crater
-
Discussion about the state of neovim's plugin ecosystem
Rust compiler developers use a tool called Crater to test potentially breaking compiler changes on all crates (Rust's name for libraries) uploaded to the official repository. If plugin stability is the issue, maybe a solution along these lines would be better than merging these plugins to Neovim's core?
-
Experienced C++ users: what do you like about Rust? How would you sell it to other C++ users?
https://github.com/rust-lang/crater is the bot they use to test proposed compiler/stdlib changes against slices of the crates.io library up to and including "all of it".
-
Data-driven performance optimization with Rust and Miri
The tool you're referring to is called Crater: https://github.com/rust-lang/crater.
- GHC 9.4.2 regresses being able to do math on aarch64
-
Rust for Linux officially merged
I'm pretty certain this isn't actually true. You should look at the editions, etc. Rust also has an insane guarantee which I am certain C/C++ don't offer: It rebuilds its entire library ecosystem each time it ships to make sure nothing breaks (https://crater.rust-lang.org). I've never seen an instance were old code didn't compile on a new compiler. Rust isn't forwards compatible (new code compiles on an old compiler) of course, but what is?
What are some alternatives?
npm-force-resolutions - Force npm to install a specific transitive dependency version
FluentValidation - A popular .NET validation library for building strongly-typed validation rules.
micromatch - Highly optimized wildcard and glob matching library. Faster, drop-in replacement to minimatch and multimatch. Used by square, webpack, babel core, yarn, jest, ract-native, taro, bulma, browser-sync, stylelint, nyc, ava, and many others! Follow micromatch's author: https://github.com/jonschlinkert
actix-net - A collection of lower-level libraries for composable network services.
is-mobile - Check if mobile browser, based on useragent string.
Dapper - Dapper - a simple object mapper for .Net [Moved to: https://github.com/DapperLib/Dapper]
is-number - JavaScript/Node.js utility. Returns `true` if the value is a number or string number. Useful for checking regex match results, user input, parsed strings, etc.
AutoMapper - A convention-based object-object mapper in .NET.
rust-prehistory - historical archive of rust pre-publication development
NUnit - NUnit Framework