BREAKING!! NPM package ‘ua-parser-js’ with more than 7M weekly download is compromised

This page summarizes the projects mentioned and recommended in the original post on reddit.com/r/programming

Our great sponsors
  • Scout APM - Less time debugging, more time building
  • OPS - Build and Run Open Source Unikernels
  • SonarQube - Static code analysis for 29 languages.
  • GitHub repo enquirer

    Stylish, intuitive and user-friendly prompts, for Node.js. Used by eslint, webpack, yarn, pm2, pnpm, RedwoodJS, FactorJS, salesforce, Cypress, Google Lighthouse, Generate, tencent cloudbase, lint-staged, gluegun, hygen, hardhat, AWS Amplify, GitHub Actions Toolkit, @airbnb/nimbus, and many others! Please follow Enquirer's author: https://github.com/jonschlinkert

    Simultaneously the #1 trending developer on GitHub across all languages (out of ~17 million developers at the time) with multiple #1 trending projects: Remarkable (https://github.com/jonschlinkert/remarkable), a markdown parser and compiler (also across all languages, out of ~7 million projects), Enquirer (https://github.com/enquirer/enquirer), a stylish, user-friendly prompt system.

  • GitHub repo ua-parser-js

    UAParser.js - Detect Browser, Engine, OS, CPU, and Device type/model from User-Agent data. Supports browser & node.js environment.

    I don't particularly want to write all of this every time I want to figure out what browser someone is running.

  • Scout APM

    Less time debugging, more time building. Scout APM allows you to find and fix performance issues with no hassle. Now with error monitoring and external services monitoring, Scout is a developer's best friend when it comes to application development.

  • GitHub repo deno

    A modern runtime for JavaScript and TypeScript.

    Per-module wermissions per module was been discussed here but it was closed. Seems the reason was that "If you're going to import some file/package you should be responsible for checking what permissions it requires.".

  • GitHub repo remarkable

    Markdown parser, done right. Commonmark support, extensions, syntax plugins, high speed - all in one. Gulp and metalsmith plugins available. Used by Facebook, Docusaurus and many others! Use https://github.com/breakdance/breakdance for HTML-to-markdown conversion. Use https://github.com/jonschlinkert/markdown-toc to generate a table of contents.

    Simultaneously the #1 trending developer on GitHub across all languages (out of ~17 million developers at the time) with multiple #1 trending projects: Remarkable (https://github.com/jonschlinkert/remarkable), a markdown parser and compiler (also across all languages, out of ~7 million projects), Enquirer (https://github.com/enquirer/enquirer), a stylish, user-friendly prompt system.

  • GitHub repo deno-puppeteer

    A port of puppeteer running on Deno

    Maybe people forget about this permission system because either are not experienced with Deno or because they just slap -A on eveything. Some packages such as deno-puppeteer even put it in all examples without even adding a note about its risks.

  • GitHub repo is-mobile

    Check if mobile browser, based on useragent string.

    If your only goal is to be certain you're dealing with a mobile device, a specialized library like is-mobile is probably a better fit.

  • Github has published an advisory for the package https://github.com/advisories/GHSA-pjwm-rvh2-c87w

  • OPS

    OPS - Build and Run Open Source Unikernels. Quickly and easily build and deploy open source unikernels in tens of seconds. Deploy in any language to any cloud.

  • GitHub repo handlebars-helpers

    188 handlebars helpers in ~20 categories. Can be used with Assemble, Ghost, YUI, express.js etc.

  • GitHub repo lodash

    A modern JavaScript utility library delivering modularity, performance, & extras.

  • GitHub repo vouch

    A multi-ecosystem package code review system. (by vouch-dev)

  • GitHub repo open-source-at-scale

    talk at budapest 2014

    Listed in "Open Source at Scale" as #8 out of the top fifteen contributors to open source in the world (https://github.com/substack/open-source-at-scale)

  • GitHub repo AutoMapper

    A convention-based object-object mapper in .NET.

    https://www.nuget.org/packages/Newtonsoft.Json/ https://www.nuget.org/packages/AutoMapper/ https://www.nuget.org/packages/Dapper/ https://www.nuget.org/packages/FluentValidation/ https://www.nuget.org/packages/FluentAssertions/ https://www.nuget.org/packages/NUnit/ https://www.nuget.org/packages/xunit/ https://www.nuget.org/packages/YamlDotNet/ https://www.nuget.org/packages/Moq/ That is simply not true. Mature c# projects purposely maintain no downstream dependencies and is they do, it's to a major reputable lib. See for yourself - these are staple third party packages commonly used. Anything dependency starting with System or NETStandard is Microsoft maintained.

  • GitHub repo Dapper

    Dapper - a simple object mapper for .Net [Moved to: https://github.com/DapperLib/Dapper] (by StackExchange)

    https://www.nuget.org/packages/Newtonsoft.Json/ https://www.nuget.org/packages/AutoMapper/ https://www.nuget.org/packages/Dapper/ https://www.nuget.org/packages/FluentValidation/ https://www.nuget.org/packages/FluentAssertions/ https://www.nuget.org/packages/NUnit/ https://www.nuget.org/packages/xunit/ https://www.nuget.org/packages/YamlDotNet/ https://www.nuget.org/packages/Moq/ That is simply not true. Mature c# projects purposely maintain no downstream dependencies and is they do, it's to a major reputable lib. See for yourself - these are staple third party packages commonly used. Anything dependency starting with System or NETStandard is Microsoft maintained.

  • GitHub repo FluentValidation

    A popular .NET validation library for building strongly-typed validation rules.

    https://www.nuget.org/packages/Newtonsoft.Json/ https://www.nuget.org/packages/AutoMapper/ https://www.nuget.org/packages/Dapper/ https://www.nuget.org/packages/FluentValidation/ https://www.nuget.org/packages/FluentAssertions/ https://www.nuget.org/packages/NUnit/ https://www.nuget.org/packages/xunit/ https://www.nuget.org/packages/YamlDotNet/ https://www.nuget.org/packages/Moq/ That is simply not true. Mature c# projects purposely maintain no downstream dependencies and is they do, it's to a major reputable lib. See for yourself - these are staple third party packages commonly used. Anything dependency starting with System or NETStandard is Microsoft maintained.

  • GitHub repo Fluent Assertions

    A very extensive set of extension methods that allow you to more naturally specify the expected outcome of a TDD or BDD-style unit tests. Targets .NET Framework 4.7, .NET Core 2.1 and 3.0, as well as .NET Standard 2.0 and 2.1. Supports the unit test frameworks MSTest2, NUnit3, XUnit2, MSpec, and NSpec3.

    https://www.nuget.org/packages/Newtonsoft.Json/ https://www.nuget.org/packages/AutoMapper/ https://www.nuget.org/packages/Dapper/ https://www.nuget.org/packages/FluentValidation/ https://www.nuget.org/packages/FluentAssertions/ https://www.nuget.org/packages/NUnit/ https://www.nuget.org/packages/xunit/ https://www.nuget.org/packages/YamlDotNet/ https://www.nuget.org/packages/Moq/ That is simply not true. Mature c# projects purposely maintain no downstream dependencies and is they do, it's to a major reputable lib. See for yourself - these are staple third party packages commonly used. Anything dependency starting with System or NETStandard is Microsoft maintained.

  • GitHub repo NUnit

    NUnit 3 Framework

    https://www.nuget.org/packages/Newtonsoft.Json/ https://www.nuget.org/packages/AutoMapper/ https://www.nuget.org/packages/Dapper/ https://www.nuget.org/packages/FluentValidation/ https://www.nuget.org/packages/FluentAssertions/ https://www.nuget.org/packages/NUnit/ https://www.nuget.org/packages/xunit/ https://www.nuget.org/packages/YamlDotNet/ https://www.nuget.org/packages/Moq/ That is simply not true. Mature c# projects purposely maintain no downstream dependencies and is they do, it's to a major reputable lib. See for yourself - these are staple third party packages commonly used. Anything dependency starting with System or NETStandard is Microsoft maintained.

  • GitHub repo xUnit

    xUnit.net is a free, open source, community-focused unit testing tool for the .NET Framework.

    https://www.nuget.org/packages/Newtonsoft.Json/ https://www.nuget.org/packages/AutoMapper/ https://www.nuget.org/packages/Dapper/ https://www.nuget.org/packages/FluentValidation/ https://www.nuget.org/packages/FluentAssertions/ https://www.nuget.org/packages/NUnit/ https://www.nuget.org/packages/xunit/ https://www.nuget.org/packages/YamlDotNet/ https://www.nuget.org/packages/Moq/ That is simply not true. Mature c# projects purposely maintain no downstream dependencies and is they do, it's to a major reputable lib. See for yourself - these are staple third party packages commonly used. Anything dependency starting with System or NETStandard is Microsoft maintained.

  • GitHub repo Serilog

    Simple .NET logging with fully-structured events

  • GitHub repo MediatR

    Simple, unambitious mediator implementation in .NET

  • GitHub repo is-odd

    I created this in 2014, the year I learned how to program. All of the downloads are from an old version of https://github.com/micromatch/micromatch. I've done a few other things since: https://github.com/jonschlinkert.

    Not[1] one[2] package[3] has more than 15 lines of actual code inside.

  • GitHub repo is-even

    I created this in 2014, when I was learning how to program. (by i-voted-for-trump)

    Not[1] one[2] package[3] has more than 15 lines of actual code inside.

  • GitHub repo is-number

    JavaScript/Node.js utility. Returns `true` if the value is a number or string number. Useful for checking regex match results, user input, parsed strings, etc.

    Not[1] one[2] package[3] has more than 15 lines of actual code inside.

  • GitHub repo Babel (Formerly 6to5)

    🐠 Babel is a compiler for writing next generation JavaScript.

    @cdb_11 found it depends on a npm package with one line of code. They finally removed it a couple years ago - https://github.com/babel/babel/issues/9620

  • GitHub repo micromatch

    Highly optimized wildcard and glob matching library. Faster, drop-in replacement to minimatch and multimatch. Used by webpack, babel core, yarn, jest, browser-sync, documentation.js, stylelint, nyc, ava, and many others! Please follow micromatch's author: https://github.com/jonschlinkert

    Since then they've made things that are IMO quite useful, like enquirer, micromatch, and remarkable.

  • GitHub repo npm-force-resolutions

    Force npm to install a specific transitive dependency version

    @GradeyCullins I believe the typical NPM-equivalent to resolve this sort of problem is to use this package: https://github.com/rogeriochaves/npm-force-resolutions

  • GitHub repo crater

    Run experiments across parts of the Rust ecosystem! (by rust-lang)

    It does exist, but it only has 80 downloads over the last 90 days and 1,043 in the three years that it has existed. That's probably all because of crater.

NOTE: The number of mentions on this list indicates mentions on common posts plus user suggested alternatives. Hence, a higher number means a more popular project.

Suggest a related project

Related posts