-
SurveyJS
Open-Source JSON Form Builder to Create Dynamic Forms Right in Your App. With SurveyJS form UI libraries, you can build and style forms in a fully-integrated drag & drop form builder, render them in your JS app, and store form submission data in any backend, inc. PHP, ASP.NET Core, and Node.js.
We‘ve been writing a tool to check lock files against the registry: https://gitlab.com/gitlab-org/frontend/untamper-my-lockfile
For now it only supports yarn, but npm support shouldn’t be too hard.
I went a different route with my "malicious" NPM package. See if you can figure it out [1].
Years ago I played around with the idea of verifying that a npm package is the same code found from the source repo [2]. Because there is often a build step, that requires trying to reproduce the building of any arbitrary package, and flagging when there is any delta between the build output and the code distributed via NPM. In more reasonable package managers, this is true by default given that you provide the source code and the package manager builds it for you ... as opposed to NPM, which just asks for the executable code directly.
[1] https://github.com/connorjclark/totally-fair-rng
[2] https://github.com/connorjclark/npm-package-repro
I went a different route with my "malicious" NPM package. See if you can figure it out [1].
Years ago I played around with the idea of verifying that a npm package is the same code found from the source repo [2]. Because there is often a build step, that requires trying to reproduce the building of any arbitrary package, and flagging when there is any delta between the build output and the code distributed via NPM. In more reasonable package managers, this is true by default given that you provide the source code and the package manager builds it for you ... as opposed to NPM, which just asks for the executable code directly.
[1] https://github.com/connorjclark/totally-fair-rng
[2] https://github.com/connorjclark/npm-package-repro
I know exactly where this is from. This has been floating around the Chinese Internet for a bit. The repo is originally at https://github.com/wheatup/evil.js but has been made private since then. A few variants of this was made and uploaded to NPM.
Here's a English translation of the README.md in that specific repo.
> What? The notorious 996 company wants you to hit the road?