npm-lint
just
| npm-lint | just | |
|---|---|---|
| 4 | 167 | |
| 26 | 17,403 | |
| - | - | |
| 0.0 | 9.0 | |
| about 4 years ago | 3 days ago | |
| TypeScript | Rust | |
| MIT License | Creative Commons Zero v1.0 Universal |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
npm-lint
-
JavaScript registry NPM vulnerable to 'manifest confusion' abuse
That postinstall and other scripts have been a problem for a long time - the PoC for example could be installed via npx, which would then run postinstall which executes another script to steal /etc/password data.
This is not a new problem, you just have another vector.
I came up with a free linter package to try solve it - but no one seemed interested, and here we are 7 later talking about where people are now offering paid services to mitigate it.
https://github.com/tanepiper/npm-lint
-
Dissecting Npm Malware: Five Packages And Their Evil Install Scripts
Also ended up writing a similar tool but didn't take it much further.
-
npm package to upload your private ssh keys to a pastebin
I did try come up with a npm linter but never really completed it.
-
Getting rid of NPM scripts
A while back I wrote a opt-in tool called npl-lint[1] that would allow some CI-level enforcement of rules in package.json although I didn't go too far with it - one thing was to check the scripts section and allow whitelisted apps, or whitelisted sources for dependencies.
It came about because I ended up having a spat with one of the NPM engineers at the time because they launched npx with the ability to run arbitrary gists[2] and this was before 2FA (FWIW you can still absolutely do this with npx).
I wrote a proof of concept[3] that showed you could, inside a package.json add a command to install another package from a gist location, and then use that to steal credentials, bash history, etc.
[1] https://github.com/tanepiper/npm-lint
just
-
I stopped worrying and loved Makefiles
I don't like makefiles, but I've been enjoying justfiles: https://github.com/casey/just
- Just a Command Runner
-
Ask HN: Any tool for managing large and variable command lines?
I started using just [0] on my projects and have been very happy so far. It is very similar to make but focused on commands rather than build outputs.
Define your recipes and then you can compose them as needed.
[0] https://github.com/casey/just
-
Ask HN: What software sparks joy when using?
just - https://github.com/casey/just
-
GitHub switched to Docker Compose v2, action needed
Welp there is absolute chaos in that thread -- guess it's not an April Fools joke.
I wonder if relying on CI for anything other than provisioning machines is a mistake -- maybe we should have never moved from doing things from local scripts written in $LANGUAGE.
That said, I'm probably biased since I'm a massive fan of things like `make` and more appropriately for the current age, `just`[0]
[0]: https://github.com/casey/just
-
Which command did you run 1731 days ago?
> When a command has some cognitive requirements I create a script with some ${1:-default} values and I store them all in $PATH enabled local/bin
I would consider using just for this:
https://github.com/casey/just
-
Using Make β writing less Makefile
Your coworker's experience is more principled: Make is a mediocre tool for executing commands. It wasn't ever designed for that. Although it is pretty common to see what you are mentioning in projects because it doesn't require installing a dependency.
For a repo where an easy to install (single binary) dependency is a non-issue, consider using just. [1] You get `just -l` where you can see all the command available, the ability to use different languages, and overall simpler command writing.
[1] https://github.com/casey/just
-
Show HN: Just.sh β compiler that turns Justfiles into portable shell scripts
This is fantastic, but I'd say that this solution is somewhat in response to this open issue from 2019:
https://github.com/casey/just/issues/429
I really wish just was included as a package in distributions.
-
Sharing Saturday #496
So far, I didn't work on new features at all but on stabilizing the ground for further development: 1. CMake lists and modules were rewritten a lot, now managing builds and their configurations is much lesser pain. 2. Brought in Justfile for regular tasks, and it's great, no less. 3. Linters, formatters, analyzers for almost all the code (except for Janet for now, as because of it being a niche and young technology, it didn't get enough attention yet). 4. ECS stub. Now runtime class doesn't look like a god object. 5. Started writing unit tests which didn't happen with my personal projects before and maybe indicates how serious am I about this one :D 6. Some of previously hardcoded data has been moved to INI files. Now, if I release the game in 10 years, and in 10 more years some eccentric person decides to make a variant of it, it will be slightly simpler.
-
Whatβs with DevOps engineers using `make` of all things?
i've grown to like this for my personal projects. https://github.com/casey/just
What are some alternatives?
ultra-runner - πβ° Ultra fast monorepo script runner and build tool
Task - A task runner / simpler Make alternative written in Go
pnpm - Fast, disk space efficient package manager
cargo-make - Rust task runner and build tool.
steal-ur-stuff - Steal Ur Stuff
cargo-xtask
actual-malware - Useful library dependency
Taskfile - Repository for the Taskfile template.
CodeLLDB - A native debugger extension for VSCode based on LLDB
cargo-release - Cargo subcommand `release`: everything about releasing a rust crate.
helix - A post-modern modal text editor.
Module Linker - browse modules by clicking directly on "import" statements on GitHub