npm-lint
ultra-runner
npm-lint | ultra-runner | |
---|---|---|
4 | 4 | |
26 | 1,188 | |
- | - | |
0.0 | 0.0 | |
about 4 years ago | 7 days ago | |
TypeScript | TypeScript | |
MIT License | Apache License 2.0 |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
npm-lint
-
JavaScript registry NPM vulnerable to 'manifest confusion' abuse
That postinstall and other scripts have been a problem for a long time - the PoC for example could be installed via npx, which would then run postinstall which executes another script to steal /etc/password data.
This is not a new problem, you just have another vector.
I came up with a free linter package to try solve it - but no one seemed interested, and here we are 7 later talking about where people are now offering paid services to mitigate it.
https://github.com/tanepiper/npm-lint
-
Dissecting Npm Malware: Five Packages And Their Evil Install Scripts
Also ended up writing a similar tool but didn't take it much further.
-
npm package to upload your private ssh keys to a pastebin
I did try come up with a npm linter but never really completed it.
-
Getting rid of NPM scripts
A while back I wrote a opt-in tool called npl-lint[1] that would allow some CI-level enforcement of rules in package.json although I didn't go too far with it - one thing was to check the scripts section and allow whitelisted apps, or whitelisted sources for dependencies.
It came about because I ended up having a spat with one of the NPM engineers at the time because they launched npx with the ability to run arbitrary gists[2] and this was before 2FA (FWIW you can still absolutely do this with npx).
I wrote a proof of concept[3] that showed you could, inside a package.json add a command to install another package from a gist location, and then use that to steal credentials, bash history, etc.
[1] https://github.com/tanepiper/npm-lint
ultra-runner
-
Directly point to source code when referencing dependencies in monorepo
Cache built files to avoid rebuilds. For example nx.js, yarn-plugin-change, ultra-runner
-
Next.js monorepo build process optimization
Then comes the question of triggering docker builds if you need to release images. If you have many apps, it's better to create a docker file for each, so you can decide which one needs to be built. Nx help in this area, because it can compute which apps needs to be rebuilt... If you have only few apps you can use github action paths (ie: simplified example) or eventually make use of things like [ultra-runner](https://github.com/folke/ultra-runner). Anyway docker and nextjs take times to setup (env...). It's another story.
-
What is monorepo? (and should you use it)
ultra-runner: scripts for JavaScripts monorepo management. Plugs in with Yarn, pnpm, and Lerna. Supports parallel building.
-
JavaScript Monorepo Tooling
🏃 ultra-runner
What are some alternatives?
pnpm - Fast, disk space efficient package manager
lerna - :dragon: Lerna is a fast, modern build system for managing and publishing multiple JavaScript/TypeScript packages from the same repository.
steal-ur-stuff - Steal Ur Stuff
nextjs-monorepo-example - Collection of monorepo tips & tricks
actual-malware - Useful library dependency
yarn.build - Build 🛠 and Bundle 📦 your local workspaces. Like Bazel, Buck, Pants and Please but for Yarn Berry. Build any language, mix javascript, typescript, golang and more in one polyglot repo. Ship your bundles to AWS Lambda, Docker, or any nodejs runtime.
corepack - Zero-runtime-dependency package acting as bridge between Node projects and their package managers
turborepo - Incremental bundler and build system optimized for JavaScript and TypeScript, written in Rust – including Turborepo and Turbopack. [Moved to: https://github.com/vercel/turbo]
semver - Nx plugin to automate semantic versioning and CHANGELOG generation.
ni - 💡 Use the right package manager
nx - Smart Monorepos · Fast CI