npm-lint
git-open
npm-lint | git-open | |
---|---|---|
4 | 4 | |
26 | 3,272 | |
- | - | |
0.0 | 2.4 | |
about 4 years ago | 30 days ago | |
TypeScript | Shell | |
MIT License | MIT License |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
npm-lint
-
JavaScript registry NPM vulnerable to 'manifest confusion' abuse
That postinstall and other scripts have been a problem for a long time - the PoC for example could be installed via npx, which would then run postinstall which executes another script to steal /etc/password data.
This is not a new problem, you just have another vector.
I came up with a free linter package to try solve it - but no one seemed interested, and here we are 7 later talking about where people are now offering paid services to mitigate it.
https://github.com/tanepiper/npm-lint
-
Dissecting Npm Malware: Five Packages And Their Evil Install Scripts
Also ended up writing a similar tool but didn't take it much further.
-
npm package to upload your private ssh keys to a pastebin
I did try come up with a npm linter but never really completed it.
-
Getting rid of NPM scripts
A while back I wrote a opt-in tool called npl-lint[1] that would allow some CI-level enforcement of rules in package.json although I didn't go too far with it - one thing was to check the scripts section and allow whitelisted apps, or whitelisted sources for dependencies.
It came about because I ended up having a spat with one of the NPM engineers at the time because they launched npx with the ability to run arbitrary gists[2] and this was before 2FA (FWIW you can still absolutely do this with npx).
I wrote a proof of concept[3] that showed you could, inside a package.json add a command to install another package from a gist location, and then use that to steal credentials, bash history, etc.
[1] https://github.com/tanepiper/npm-lint
git-open
-
(re)Introducing `git trim`- a command to quickly remove merged, pruned, untracked, or stale branches.
That how I use git open. Guess I assumed it was more common, so why not.
-
JavaScript Influencers to Follow in 2021🤩
Project: h5bp/html5-boilerplate, Webfundamentals, GoogleChrome/lighthouse, so-fancy/diff-so-fancy, git-open
-
I made a small git util to open relevant git files: git open
You might want to change name to something else. There's already a git-open and I use it extensively!
-
Getting rid of NPM scripts
I love git open[0] but I was always a bit mystified by how a simple "npm install" command can modify what it needs to in order for "git open" to become a valid command.
[0]https://github.com/paulirish/git-open
What are some alternatives?
ultra-runner - 🏃⛰ Ultra fast monorepo script runner and build tool
git-ftp - Uses Git to upload only changed files to FTP servers.
pnpm - Fast, disk space efficient package manager
git-extras - GIT utilities -- repo summary, repl, changelog population, author commit percentages and more
steal-ur-stuff - Steal Ur Stuff
normalizr - Normalizes nested JSON according to a schema
actual-malware - Useful library dependency
git-semantic-commits - Tiny semantic commit messages for Git.
redux - A JS library for predictable global state management
Vue.js - This is the repo for Vue 2. For Vue 3, go to https://github.com/vuejs/core
quicklink - ⚡️Faster subsequent page-loads by prefetching in-viewport links during idle time
d3 - Bring data to life with SVG, Canvas and HTML. :bar_chart::chart_with_upwards_trend::tada: