cargo-deny
ua-parser-js
cargo-deny | ua-parser-js | |
---|---|---|
15 | 29 | |
1,554 | 8,624 | |
1.7% | - | |
8.8 | 8.4 | |
5 days ago | about 2 months ago | |
Rust | JavaScript | |
Apache License 2.0 | GNU Affero General Public License v3.0 |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
cargo-deny
-
Please add licenses to your projects, rust DS emulator Dust now dead.
Tip: You can check the licenses of all your dependencies (recursively) using cargo-deny: https://github.com/EmbarkStudios/cargo-deny
- Cargo-deny: a cargo plugin for linting Rust project dependencies
-
What are some useful tools for Rust?
cargo-deny
-
Can versions of a crate be blocked / be made unusable / be made not downloadable?
cargo-deny can help block specified versions of a crate and even has some advisory features that can probably used to block crate with reported vulnerabilities
-
Best way to protect a project from supply chain attacks?
cargo deny for fetching crates only from trusted sources, blacklisting crates, etc.
-
NPM malware and what it could imply for Cargo
Use cargo audit or cargo deny to check the crates in your Cargo.lock to ensure they don't contain any vulnerabilities.
-
This Year in Embedded Rust: 2021 edition
> Explain the crate scanner thing?
I assume a reference to tools that help manage potential issues around dependencies, e.g.:
* https://github.com/rustsec/rustsec/tree/main/cargo-audit
* https://github.com/EmbarkStudios/cargo-deny
"[cargo-audit] Audit Cargo.lock files for crates with security vulnerabilities reported to the RustSec Advisory Database."
"cargo-deny is a cargo plugin that lets you lint your project's dependency graph to ensure all your dependencies conform to your expectations and requirements." e.g. license, security advisories, source.
-
Score card for dependencies in a project
cargo-deny does license and security advisory checking, and cargo-geiger does unsafe checking.
-
How can we make sure this doesn't happen with Crates.io?
cargo-deny
-
Blog post: Cross compiling Rust Windows binaries from Linux
OpenSSL has been banned in our project for a variety of reasons via cargo-deny for around a year and half, it was actually one of the reasons we created it in the first place.
ua-parser-js
-
Tell HN: Microsoft Teams is blocking Firefox Nightly
Just look at all the big companies doing it
https://faisalman.github.io/ua-parser-js/
-
Liguard - The Linode Guard
This project is backed under MIT License, special shout out to project UA-Parser, as liguard uses a piece of its source-code.
-
Modern PHP
With NPM, what's actually published is not what's in the git repo, so it's harder to inspect/review vulnerabilities or hijacking. With composer, what's in git _is_ what composer pulls (with the exception of rules in .gitattributes to exclude files etc), making it much easier to trace. One such example: https://github.com/faisalman/ua-parser-js/issues/536
Composer packages are vendor namespaced, so hijacking an abandoned package is not possible (and it is with NPM), some examples like https://www.theregister.com/2021/08/10/github_npm_package/
-
Some developers are fouling up open-source software
Sure, I suppose in theory it could happen with other ecosystems, but for some reason it doesn't. It sure seems to just keep happening in NPM though.
-
Vulnerable and Outdated Components
From the other side, npm package may be hijacked(as it happened recently for ua-parser-js and to other packages earlier). To mitigate that, I don't know, probably, subscribing to some security digest would be the most helpful.
- Red Hat response to Java release cadence change
-
Secure software supply chain: why every link matters
On Oct. 22, 2021, developers of a very common NPM package, ua-parser-js, discovered that some attackers uploaded a compromised version of the package containing malware for Linux and Windows, and were capable of stealing data (at least passwords and cookies from the browser).
-
Thoughts on improving security of Neovim plugins
Since Neovim 0.5 release (which has full Lua support) I see more and more amazing Lua plugins being developed, and I think this trend will likely to continue. But I recently got more concerned about security risks associated with the way Neovim plugins being installed and used (especially after seeing recent compromises like ua-parser-js or coa). Installing typical Neovim plugin is basically downloading and executing random code from the internet on your machine with your user privileges, so hijacked or deliberately malicious plugin could potentially do a lot of damage (like stealing keys/passwords, installing keylogger or just rm -rf / for fun).
-
Hidden XMRig miner malware discovered in hijacked versions of popular ua-parser-js npm library
thread about compromise https://github.com/faisalman/ua-parser-js/issues/536
- Malware Discovered in Popular NPM Package, ua-parser-js
What are some alternatives?
cargo-about - 📜 Cargo plugin to generate list of all licenses for a crate 🦀
react-device-detect - Detect device, and render view according to detected device type.
advisory-db - Security advisory database for Rust crates published through crates.io
bowser - a browser detector
xwin - A utility for downloading and packaging the Microsoft CRT headers and libraries, and Windows SDK headers and libraries needed for compiling and linking programs targeting Windows.
remarkable - Markdown parser, done right. Commonmark support, extensions, syntax plugins, high speed - all in one. Gulp and metalsmith plugins available. Used by Facebook, Docusaurus and many others! Use https://github.com/breakdance/breakdance for HTML-to-markdown conversion. Use https://github.com/jonschlinkert/markdown-toc to generate a table of contents.
crates.io-index - Registry index for crates.io
enquirer - Stylish, intuitive and user-friendly prompts, for Node.js. Used by eslint, webpack, yarn, pm2, pnpm, RedwoodJS, FactorJS, salesforce, Cypress, Google Lighthouse, Generate, tencent cloudbase, lint-staged, gluegun, hygen, hardhat, AWS Amplify, GitHub Actions Toolkit, @airbnb/nimbus, and many others! Please follow Enquirer's author: https://github.com/jonschlinkert
static_init
Serilog - Simple .NET logging with fully-structured events
nextest - A next-generation test runner for Rust.
pnpm - Fast, disk space efficient package manager