BREAKING!! NPM package ‘ua-parser-js’ with more than 7M weekly download is compromised

This page summarizes the projects mentioned and recommended in the original post on reddit.com/r/programming

Our great sponsors
  • Appwrite - The Open Source Firebase alternative introduces iOS support
  • InfluxDB - Build time-series-based applications quickly and at scale.
  • Sonar - Write Clean JavaScript Code. Always.
  • enquirer

    Stylish, intuitive and user-friendly prompts, for Node.js. Used by eslint, webpack, yarn, pm2, pnpm, RedwoodJS, FactorJS, salesforce, Cypress, Google Lighthouse, Generate, tencent cloudbase, lint-staged, gluegun, hygen, hardhat, AWS Amplify, GitHub Actions Toolkit, @airbnb/nimbus, and many others! Please follow Enquirer's author: https://github.com/jonschlinkert

    Simultaneously the #1 trending developer on GitHub across all languages (out of ~17 million developers at the time) with multiple #1 trending projects: Remarkable (https://github.com/jonschlinkert/remarkable), a markdown parser and compiler (also across all languages, out of ~7 million projects), Enquirer (https://github.com/enquirer/enquirer), a stylish, user-friendly prompt system.

  • ua-parser-js

    UAParser.js - Detect Browser, Engine, OS, CPU, and Device type/model from User-Agent data. Supports browser & node.js environment.

    I don't particularly want to write all of this every time I want to figure out what browser someone is running.

  • Appwrite

    Appwrite - The Open Source Firebase alternative introduces iOS support . Appwrite is an open source backend server that helps you build native iOS applications much faster with realtime APIs for authentication, databases, files storage, cloud functions and much more!

  • deno

    A modern runtime for JavaScript and TypeScript.

    Per-module wermissions per module was been discussed here but it was closed. Seems the reason was that "If you're going to import some file/package you should be responsible for checking what permissions it requires.".

  • remarkable

    Markdown parser, done right. Commonmark support, extensions, syntax plugins, high speed - all in one. Gulp and metalsmith plugins available. Used by Facebook, Docusaurus and many others! Use https://github.com/breakdance/breakdance for HTML-to-markdown conversion. Use https://github.com/jonschlinkert/markdown-toc to generate a table of contents.

    Simultaneously the #1 trending developer on GitHub across all languages (out of ~17 million developers at the time) with multiple #1 trending projects: Remarkable (https://github.com/jonschlinkert/remarkable), a markdown parser and compiler (also across all languages, out of ~7 million projects), Enquirer (https://github.com/enquirer/enquirer), a stylish, user-friendly prompt system.

  • deno-puppeteer

    A port of puppeteer running on Deno

    Maybe people forget about this permission system because either are not experienced with Deno or because they just slap -A on eveything. Some packages such as deno-puppeteer even put it in all examples without even adding a note about its risks.

  • is-mobile

    Check if mobile browser, based on useragent string.

    If your only goal is to be certain you're dealing with a mobile device, a specialized library like is-mobile is probably a better fit.

  • Github has published an advisory for the package https://github.com/advisories/GHSA-pjwm-rvh2-c87w

  • InfluxDB

    Build time-series-based applications quickly and at scale.. InfluxDB is the Time Series Platform where developers build real-time applications for analytics, IoT and cloud-native services. Easy to start, it is available in the cloud or on-premises.

  • handlebars-helpers

    188 handlebars helpers in ~20 categories. Can be used with Assemble, Ghost, YUI, express.js etc.

  • lodash

    A modern JavaScript utility library delivering modularity, performance, & extras.

  • vouch

    A multi-ecosystem package code review system. (by vouch-dev)

  • open-source-at-scale

    talk at budapest 2014

    Listed in "Open Source at Scale" as #8 out of the top fifteen contributors to open source in the world (https://github.com/substack/open-source-at-scale)

  • AutoMapper

    A convention-based object-object mapper in .NET.

    https://www.nuget.org/packages/Newtonsoft.Json/ https://www.nuget.org/packages/AutoMapper/ https://www.nuget.org/packages/Dapper/ https://www.nuget.org/packages/FluentValidation/ https://www.nuget.org/packages/FluentAssertions/ https://www.nuget.org/packages/NUnit/ https://www.nuget.org/packages/xunit/ https://www.nuget.org/packages/YamlDotNet/ https://www.nuget.org/packages/Moq/ That is simply not true. Mature c# projects purposely maintain no downstream dependencies and is they do, it's to a major reputable lib. See for yourself - these are staple third party packages commonly used. Anything dependency starting with System or NETStandard is Microsoft maintained.

  • Dapper

    Dapper - a simple object mapper for .Net [Moved to: https://github.com/DapperLib/Dapper] (by StackExchange)

    https://www.nuget.org/packages/Newtonsoft.Json/ https://www.nuget.org/packages/AutoMapper/ https://www.nuget.org/packages/Dapper/ https://www.nuget.org/packages/FluentValidation/ https://www.nuget.org/packages/FluentAssertions/ https://www.nuget.org/packages/NUnit/ https://www.nuget.org/packages/xunit/ https://www.nuget.org/packages/YamlDotNet/ https://www.nuget.org/packages/Moq/ That is simply not true. Mature c# projects purposely maintain no downstream dependencies and is they do, it's to a major reputable lib. See for yourself - these are staple third party packages commonly used. Anything dependency starting with System or NETStandard is Microsoft maintained.

  • FluentValidation

    A popular .NET validation library for building strongly-typed validation rules.

    https://www.nuget.org/packages/Newtonsoft.Json/ https://www.nuget.org/packages/AutoMapper/ https://www.nuget.org/packages/Dapper/ https://www.nuget.org/packages/FluentValidation/ https://www.nuget.org/packages/FluentAssertions/ https://www.nuget.org/packages/NUnit/ https://www.nuget.org/packages/xunit/ https://www.nuget.org/packages/YamlDotNet/ https://www.nuget.org/packages/Moq/ That is simply not true. Mature c# projects purposely maintain no downstream dependencies and is they do, it's to a major reputable lib. See for yourself - these are staple third party packages commonly used. Anything dependency starting with System or NETStandard is Microsoft maintained.

  • Fluent Assertions

    A very extensive set of extension methods that allow you to more naturally specify the expected outcome of a TDD or BDD-style unit tests. Targets .NET Framework 4.7, as well as .NET Core 2.1, .NET Core 3.0, .NET 6, .NET Standard 2.0 and 2.1. Supports the unit test frameworks MSTest2, NUnit3, XUnit2, MSpec, and NSpec3.

    https://www.nuget.org/packages/Newtonsoft.Json/ https://www.nuget.org/packages/AutoMapper/ https://www.nuget.org/packages/Dapper/ https://www.nuget.org/packages/FluentValidation/ https://www.nuget.org/packages/FluentAssertions/ https://www.nuget.org/packages/NUnit/ https://www.nuget.org/packages/xunit/ https://www.nuget.org/packages/YamlDotNet/ https://www.nuget.org/packages/Moq/ That is simply not true. Mature c# projects purposely maintain no downstream dependencies and is they do, it's to a major reputable lib. See for yourself - these are staple third party packages commonly used. Anything dependency starting with System or NETStandard is Microsoft maintained.

  • NUnit

    NUnit 3 Framework

    https://www.nuget.org/packages/Newtonsoft.Json/ https://www.nuget.org/packages/AutoMapper/ https://www.nuget.org/packages/Dapper/ https://www.nuget.org/packages/FluentValidation/ https://www.nuget.org/packages/FluentAssertions/ https://www.nuget.org/packages/NUnit/ https://www.nuget.org/packages/xunit/ https://www.nuget.org/packages/YamlDotNet/ https://www.nuget.org/packages/Moq/ That is simply not true. Mature c# projects purposely maintain no downstream dependencies and is they do, it's to a major reputable lib. See for yourself - these are staple third party packages commonly used. Anything dependency starting with System or NETStandard is Microsoft maintained.

  • xUnit

    xUnit.net is a free, open source, community-focused unit testing tool for .NET.

    https://www.nuget.org/packages/Newtonsoft.Json/ https://www.nuget.org/packages/AutoMapper/ https://www.nuget.org/packages/Dapper/ https://www.nuget.org/packages/FluentValidation/ https://www.nuget.org/packages/FluentAssertions/ https://www.nuget.org/packages/NUnit/ https://www.nuget.org/packages/xunit/ https://www.nuget.org/packages/YamlDotNet/ https://www.nuget.org/packages/Moq/ That is simply not true. Mature c# projects purposely maintain no downstream dependencies and is they do, it's to a major reputable lib. See for yourself - these are staple third party packages commonly used. Anything dependency starting with System or NETStandard is Microsoft maintained.

  • Serilog

    Simple .NET logging with fully-structured events

  • MediatR

    Simple, unambitious mediator implementation in .NET

  • is-odd

    I created this in 2014, the year I learned how to program. All of the downloads are from an old version of https://github.com/micromatch/micromatch. I've done a few other things since: https://github.com/jonschlinkert. (by i-voted-for-trump)

    Not[1] one[2] package[3] has more than 15 lines of actual code inside.

  • is-even

    I created this in 2014, when I was learning how to program. (by i-voted-for-trump)

    Not[1] one[2] package[3] has more than 15 lines of actual code inside.

  • is-number

    JavaScript/Node.js utility. Returns `true` if the value is a number or string number. Useful for checking regex match results, user input, parsed strings, etc.

    Not[1] one[2] package[3] has more than 15 lines of actual code inside.

  • Babel (Formerly 6to5)

    🐠 Babel is a compiler for writing next generation JavaScript.

    @cdb_11 found it depends on a npm package with one line of code. They finally removed it a couple years ago - https://github.com/babel/babel/issues/9620

  • micromatch

    Highly optimized wildcard and glob matching library. Faster, drop-in replacement to minimatch and multimatch. Used by square, webpack, babel core, yarn, jest, taro, bulma, browser-sync, documentation.js, stylelint, nyc, ava, and many others! Please follow micromatch's author: https://github.com/jonschlinkert

    Since then they've made things that are IMO quite useful, like enquirer, micromatch, and remarkable.

  • npm-force-resolutions

    Force npm to install a specific transitive dependency version

    @GradeyCullins I believe the typical NPM-equivalent to resolve this sort of problem is to use this package: https://github.com/rogeriochaves/npm-force-resolutions

  • crater

    Run experiments across parts of the Rust ecosystem! (by rust-lang)

    It does exist, but it only has 80 downloads over the last 90 days and 1,043 in the three years that it has existed. That's probably all because of crater.

  • Sonar

    Write Clean JavaScript Code. Always.. Sonar helps you commit clean code every time. With over 300 unique rules to find JavaScript bugs, code smells & vulnerabilities, Sonar finds the issues while you focus on the work.

NOTE: The number of mentions on this list indicates mentions on common posts plus user suggested alternatives. Hence, a higher number means a more popular project.

Suggest a related project

Related posts