Rfcs Alternatives
Similar projects and alternatives to rfcs
-
-
corepack
Zero-runtime-dependency package acting as bridge between Node projects and their package managers
-
Appwrite
Appwrite - The Open Source Firebase alternative introduces iOS support . Appwrite is an open source backend server that helps you build native iOS applications much faster with realtime APIs for authentication, databases, files storage, cloud functions and much more!
-
-
-
-
ua-parser-js
UAParser.js - Detect Browser, Engine, OS, CPU, and Device type/model from User-Agent data. Supports browser & node.js environment.
-
-
SonarQube
Static code analysis for 29 languages.. Your projects are multi-language. So is SonarQube analysis. Find Bugs, Vulnerabilities, Security Hotspots, and Code Smells so you can release quality code every time. Get started analyzing your projects today for free.
-
-
-
node-ipc
Inter Process Communication Module for node supporting Unix sockets, TCP, TLS, and UDP. Giving lightning speed on Linux, Mac, and Windows. Neural Networking in Node.JS
-
-
-
-
goggles.mozilla.org
Update: This project is no longer maintained and has been archived. See https://foundation.mozilla.org/blog/putting-away-our-x-ray-goggles/ for more information.
-
-
lerna
:dragon: Lerna is a fast, modern build system for managing and publishing multiple JavaScript/TypeScript packages from the same repository.
-
rfcs reviews and mentions
- [RRFC] Parallel script execution when value is set to an array of text. · Issue #610 · npm/rfcs
- Lerna has gone. Which Monorepo is right for a Node.js BACKEND now?
- NPM introduces a new Dependency Selector Syntax
-
How to respond to growing supply chain security risks?
I started following this problem from the discussion at npm about making install scripts opt-in. But install scripts are not the only threat, there are more ways for malicious actors:
-
On node-ipc and the importance of trusting trust
What I’m proposing is specifically in cases where sub-dependencies may have a known vulnerability but that isn’t in any of the call paths of your direct dependency. It’s an alternative to the “audit assertions”[1] proposal, which I find problematic for reasons I discussed there before I bowed out. My idea is that you can be confident you’re not affected by a vulnerability in a dependency (at any depth), if that vulnerability is no longer in the code in the first place.
It also reduces the surface area to vet in the first place. It’s highly likely many dependencies will be stripped down considerably, if not outright deduplicated or eliminated. The “npm installs thousands of dependencies” thing is a real problem, but it’s also partly because it’s installing stuff you’ll never actually execute in any way.
You can pare down sub-dependencies with confidence, because you already know what code paths are hit by the parent dependency at packaging time. You can’t do that with direct dependencies until you go to package/deploy, because of course you may expand your usage of their APIs during development.
-
On the Weaponisation of Open Source
https://github.com/npm/rfcs/issues/509
it more or less just makes it difficult for updates to propogate, which is arguably a good thing.
- BIG sabotage: Famous npm package (node-ipc) deletes files to protest Ukraine war
- Why do so few people use deno when it's so safe?
-
yarn vs pnpm vs npm for modern node?
One of the things the npm cli team is working on right now is "isolated mode". https://github.com/npm/rfcs/blob/main/accepted/0042-isolated-mode.md
-
Pitfalls When Adding Turborepo To Your Project
Even if you run npm install, only npm 7 and up support workspaces. There is no straightforward way to enforce developer npm version although it is not impossible, so you might want to document the version requirement in your root README. A developer without npm 7+ will end up with unresolved modules in their editor.
-
2021 pnpm recap
The npm team decided to also adopt the symlinked node-modules directory structure that pnpm uses (related RFC).
- [AskJS] How do you think the NPM security issue should be fixed?
-
Prevent NPM from installing packages outside of a Docker container
Unfortunately, this method will not prevent you from installing individual packages outside of your container: it will only prevent npm install from installing the packages inside package.json. For example, if you ran npm install lodash in a console on your host machine, it would install lodash without an error. There is an NPM RFC that would change this behavior, but as of time of writing this post (November 2021), it hasn't gone through.
-
Every NPM package potentially compromised
Fortunately there is an option (--ignore-scripts) that prevents all code from running at install time, and there are solutions if specific scripts do need to be run. Such examples are so rare, though, that there is an active proposal to make this option the default.
-
$ sudo rm -rf / === NPM install
Re https://github.com/npm/rfcs/pull/488. Thank you for your service! I had this on my TODO for months. Actually I just use yarn now where ever possible and set `enableScripts: false` both globally and per package. Doesn't solve all of the npm ecosystem's sec issues (like allowing downloading binary blobs and other assets from arbitrary URLs, no cleaning on permission bits on archives, not blacklisting certain typo-esque package names, ...) but it's clear low hanging fruit and the push-back from maintainers is really crazy ...
Stats
npm/rfcs is an open source project licensed under GNU General Public License v3.0 or later which is an OSI approved license.
Popular Comparisons
Are you hiring? Post a new remote job listing for free.