esprima
goggles.mozilla.org
esprima | goggles.mozilla.org | |
---|---|---|
2 | 2 | |
405 | 85 | |
- | - | |
0.0 | 10.0 | |
almost 3 years ago | over 4 years ago | |
TypeScript | JavaScript | |
BSD 2-clause "Simplified" License | - |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
esprima
-
NPM package ‘ua-parser-JS’ with more than 7M weekly download is compromised
> check out the Web X-Ray repo <https://github.com/mozilla/goggles.mozilla.org/>.
Thanks for example. Peeking a bit under the hood, it appears to be due to transitive dependencies referencing github urls (and transient ones at that) instead of semver, which admittedly is neither standard nor good practice...
FWIW, simply removing `"grunt-contrib-jshint": "~0.4.3",` from package.json and related jshint-related code from Gruntfile was sufficient to get `npm install` to complete successfully. The debugging just took me a few minutes grepping package-lock.json for the 404 URL in question (https://github.com/ariya/esprima/tarball/master) and tracing that back to a top-level dependency via recursively grepping for dependent packages. I imagine that upgrading relevant dependencies might also do the trick, seeing as jshint no longer depends on esprima[0].
I'm not sure how representative this particular case is to the sort of issues you run into, but I'll tell that reproducibility issues can get a lot worse in ways that committing deps doesn't help (for example, issues like this one[1] are nasty to narrow down).
But assuming that installation in your link just happens to have a simple fix and that others are not as forgiving, how is committing node_modules supposed to help here if you're saying you can't even get it to a working state in the first place? DO you own the repo in order to be able to make the change? Or are you mostly just saying that hindsight is 20-20?
[0] https://github.com/jshint/jshint/blob/master/package.json#L4...
[1] https://github.com/node-ffi-napi/node-ffi-napi/issues/143
-
Validating JSON Data in typescript and return line number and position
okk i found out another one called esprima i think i am going to use it
goggles.mozilla.org
-
NPM package ‘ua-parser-JS’ with more than 7M weekly download is compromised
> check out the Web X-Ray repo <https://github.com/mozilla/goggles.mozilla.org/>.
Thanks for example. Peeking a bit under the hood, it appears to be due to transitive dependencies referencing github urls (and transient ones at that) instead of semver, which admittedly is neither standard nor good practice...
FWIW, simply removing `"grunt-contrib-jshint": "~0.4.3",` from package.json and related jshint-related code from Gruntfile was sufficient to get `npm install` to complete successfully. The debugging just took me a few minutes grepping package-lock.json for the 404 URL in question (https://github.com/ariya/esprima/tarball/master) and tracing that back to a top-level dependency via recursively grepping for dependent packages. I imagine that upgrading relevant dependencies might also do the trick, seeing as jshint no longer depends on esprima[0].
I'm not sure how representative this particular case is to the sort of issues you run into, but I'll tell that reproducibility issues can get a lot worse in ways that committing deps doesn't help (for example, issues like this one[1] are nasty to narrow down).
But assuming that installation in your link just happens to have a simple fix and that others are not as forgiving, how is committing node_modules supposed to help here if you're saying you can't even get it to a working state in the first place? DO you own the repo in order to be able to make the change? Or are you mostly just saying that hindsight is 20-20?
[0] https://github.com/jshint/jshint/blob/master/package.json#L4...
[1] https://github.com/node-ffi-napi/node-ffi-napi/issues/143
What are some alternatives?
ace - Ace (Ajax.org Cloud9 Editor)
pnpm - Fast, disk space efficient package manager
vim.js
ua-parser-js - UAParser.js - Free & open-source JavaScript library to detect user's Browser, Engine, OS, CPU, and Device type/model. Runs either in browser (client-side) or node.js (server-side).
CodeMirror - In-browser code editor (version 5, legacy)
JSHint - JSHint is a tool that helps to detect errors and potential problems in your JavaScript code
medium-editor - Medium.com WYSIWYG editor clone. Uses contenteditable API to implement a rich text solution.
rfcs - Public change requests/proposals & ideation
TinyMCE - The world's #1 JavaScript library for rich text editing. Available for React, Vue and Angular
Secure-Supply-Chain
vuetify - 🐉 Vue Component Framework
handlebars-helpers - 188 handlebars helpers in ~20 categories. Can be used with Assemble, Ghost, YUI, express.js etc.