cli
LavaMoat
cli | LavaMoat | |
---|---|---|
72 | 16 | |
8,024 | 819 | |
1.1% | 2.1% | |
9.6 | 9.8 | |
3 days ago | 1 day ago | |
JavaScript | JavaScript | |
GNU General Public License v3.0 or later | MIT License |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
cli
-
'everything' blocks devs from removing their own NPM packages
Because sometimes I make idiotic mistakes and I really don't want that embarrassing stuff out there where people can see. I ran head first into an npm bug once when I tried to symlink the README file which resulted in the thing getting published without a README.
https://github.com/npm/cli/issues/6746
Embarrassing. And then they slapped me with a stupid 24 hour count down on top of it. I seriously hate this thing.
-
Ledger's NPM account has been hacked
This is the same NPM that made a change causing the `integrity` field to go silently missing from `package-lock.json` [0] when installing packages, and then also not complaining at any other time in the future.
[0] https://github.com/npm/cli/issues/4460
-
What's New in Node.js 21
Node.js v21 includes npm v10.2.0, which notably introduces a new sbom command that allows you to generate a Software Bill of Materials (SBOM) for the current project. You can read more about the changes in recent NPM releases on GitHub.
-
Gatsby instalación con problemas recurrentes al conflictuar con cersión de NPM (aparentemente)
npm ERR! This is an error with npm itself. Please report this error at: npm ERR! https://github.com/npm/cli/issues
- Unable to connect to the NPM Registry
-
Quick full-stack app deployment using AWS and Ember.js
You'll need an AWS account and AWS credentials configured locally. We'll use pnpm but you could also use npm or yarn. The finished app is available on github.
-
Building and Launching a Serverless GraphQL React Application with AWS Amplify: A Step-by-Step Guide
~/Documents/amplify-hackathon/amplify-react-graphql-demo main !5 ?3 npm install -g @aws-amplify/cli 1 ✘ 4s 22:11:35 changed 26 packages in 25s 7 packages are looking for funding run `npm fund` for details npm notice npm notice New minor version of npm available! 9.4.0 -> 9.6.5 npm notice Changelog: https://github.com/npm/cli/releases/tag/v9.6.5 npm notice Run npm install -g [email protected] to update! npm notice
-
Multi stage docker build failing due to some error in bcrypt, how to fix it?
10 18.95 npm notice Changelog: https://github.com/npm/cli/releases/tag/v9.6.4
-
Question about CS2s demo viewer and movie features/capabilities
npm WARN deprecated [email protected]: See https://github.com/lydell/source-map-resolve#deprecated npm WARN deprecated [email protected]: This SVGO version is no longer supported. Upgrade to v2.x.x. added 1692 packages, and audited 1699 packages in 23s 211 packages are looking for funding run `npm fund` for details 27 vulnerabilities (1 low, 7 moderate, 18 high, 1 critical) To address issues that do not require attention, run: npm audit fix To address all issues (including breaking changes), run: npm audit fix --force Run `npm audit` for details. npm notice npm notice New minor version of npm available! 9.5.1 -> 9.6.2 npm notice Changelog: https://github.com/npm/cli/releases/tag/v9.6.2 npm notice Run npm install -g [email protected] to update! npm notice
- Everything about package.json
LavaMoat
-
Ledger's NPM account has been hacked
Just yesterday I watched a talk [0] at WarsawJS about LavaMoat [1], a set of tools to protect against malicious behaviour from npm dependencies. Guess it’s time to look into it deeper.
[0]: https://naugtur.pl/pres3/lava/2023end.html
[1]: https://github.com/LavaMoat/LavaMoat
-
Dozens of malicious PyPI packages discovered targeting developers
You are basically talking about Lavamoat. It provides tooling and policies for SES, which aims to make it into standards.
https://github.com/LavaMoat/LavaMoat
-
Supply chain security - prevent, not avoid
Enter: lavamoat. https://github.com/LavaMoat/LavaMoat
- LavaMoat: Tools for sandboxing your dependency graph
-
Deno.js in Production. Key Takeaways.
You should check out Lavamoat: https://github.com/LavaMoat/LavaMoat
It attempts to do what you're essentially describing. It was built by the MetaMask team, where supply chain attacks are an obviously huge risk.
I've spent some time trying to get it working in an app, but haven't been able to get it all the way working. It's still pretty beta and not well documented.
- Node.js packages don't deserve your trust
-
How to respond to growing supply chain security risks?
And it is happening right now. Github is opening the GitHub Advisory Database to community submissions. Awesome community NodeSecure builds cool things like scanner and js-x-ray. There are also lockfile-lint, LavaMoat, Jfrog-npm-tools (and I am sure there is more).
- On node-ipc and the importance of trusting trust
-
NPM package compromised by author: erases files on RU / BY computers on install
There is a proposal to add OCAPs on a language level in TC39[0]. There is already a drop-in implementation which already works in both Nodejs and browsers[1].
As a developer who wants to sandbox your own (recursive) dependencies, this is made accessible today in Lavamoat[2]. Basically a package or app can provide a policy manifest specifying which capabilities (e.g. network or filesystem access) should be granted for each dependency. Also comes with a tool that will auto-generate a starting point from your existing dependency tree.
IMO this is the future. Currently it does come with a performance penalty but hopefully this idea will catch on and make it into runtime implementations.
Lavamoat is still marked as "preprod" on npm but talking to the author it's a matter of days or weeks until the first stable release.
[0]: https://news.ycombinator.com/item?id=30703817
[1]: https://github.com/endojs/endo/tree/master/packages/ses
[2]: https://github.com/LavaMoat/LavaMoat
- Node runtime that sandboxes all NPM dependencies by default
What are some alternatives?
gluetun - VPN client in a thin Docker container for multiple VPN providers, written in Go, and using OpenVPN or Wireguard, DNS over TLS, with a few proxy servers built-in.
metamask-extension - :globe_with_meridians: :electric_plug: The MetaMask browser extension enables browsing Ethereum blockchain enabled websites
octo.nvim - Edit and review GitHub issues and pull requests from the comfort of your favorite editor
create-vue - 🛠️ The recommended way to start a Vite-powered Vue project
nvm for Windows - A node.js version management utility for Windows. Ironically written in Go.
vue-cli - 🛠️ webpack-based tooling for Vue.js Development
yarn.build - Build 🛠 and Bundle 📦 your local workspaces. Like Bazel, Buck, Pants and Please but for Yarn Berry. Build any language, mix javascript, typescript, golang and more in one polyglot repo. Ship your bundles to AWS Lambda, Docker, or any nodejs runtime.
handlebars-helpers - 188 handlebars helpers in ~20 categories. Can be used with Assemble, Ghost, YUI, express.js etc.
vscode-dev-containers - NOTE: Most of the contents of this repository have been migrated to the new devcontainers GitHub org (https://github.com/devcontainers). See https://github.com/devcontainers/template-starter and https://github.com/devcontainers/feature-starter for information on creating your own!
EventSource - a polyfill for http://www.w3.org/TR/eventsource/
enquirer - Stylish, intuitive and user-friendly prompts, for Node.js. Used by eslint, webpack, yarn, pm2, pnpm, RedwoodJS, FactorJS, salesforce, Cypress, Google Lighthouse, Generate, tencent cloudbase, lint-staged, gluegun, hygen, hardhat, AWS Amplify, GitHub Actions Toolkit, @airbnb/nimbus, and many others! Please follow Enquirer's author: https://github.com/jonschlinkert
proposal-shadowrealm - ECMAScript Proposal, specs, and reference implementation for Realms