Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Security News
Sarah Gooding
May 25, 2024
ESLint, a widely used tool for identifying and reporting on patterns found in ECMAScript/JavaScript code, has approved an RFC (request for comments) for adding support for TypeScript config files. The pluggable utility is widely considered to be the industry standard for JavaScript and TypeScript linting and is extensively integrated into various popular build tools and frameworks such as Webpack, Gulp, Grunt, React, Angular, and Vue. ESLint helps maintain code quality and consistency and allows developers to define their own linting rules and configurations.
This new RFC, contributed by developer Arya Emami in his first PR to ESLint, is aimed at improving the developer experience for TypeScript users:
The primary motivation for adding support for TypeScript configuration files to ESLint is to enhance the developer experience and accommodate the evolving JavaScript ecosystem. As TypeScript's popularity continues to grow, more projects are adopting TypeScript not only for their source code but also for their configuration files. This shift is driven by TypeScript's ability to provide compile-time type checks and IntelliSense.
By supportingeslint.config.ts
,eslint.config.mts
, andeslint.config.cts
, ESLint will offer first-class support to TypeScript users, allowing them to leverage these benefits directly within their ESLint configuration.
After considering ts-node, tsx, and TypeScript's transpileModule() to parse TypeScript configuration files, contributors to the proposal have identified jiti as the tool most suited to the task and the requirement to not interfere with Node.js's native module resolution system by hooking into or altering the standard import/require mechanisms.
The proposal to add support for TypeScript config files is among one of the more substantial changes to ESLint, which requires that it goes through a design process and receives a consensus from the ESLint Technical Steering Committee (TSC). Anything that introduces a major new feature to core or significantly refactors an existing feature is subject to the RFC process so that changes go through a consistent and controlled path to enter the project’s codebase.
In the case of this particular RFC, ESLint creator Nicholas Zakas wasn’t immediately on board, but through the power of open source collaboration, the community was able to present a compelling case.
“One thing I enjoy about the RFC process is giving people an opportunity to present their case and change my mind,” Zakas said. “This is a good example of that. I started out at 'hell no' and ended up at 'this looks like it will work.'"
This RFC has been approved, which means contributors can now begin working on an implementation, knowing the basic approach has been agreed upon. They are aiming to minimize disruption to existing users and will ensure that existing JavaScript configuration files continue to work as expected. The proposed changes will only affect TypeScript users who are using TypeScript configuration files.
Zakas said he is happy with the direction of this design, provided that jiti is offered as an optional dependency that people are required to manually install to use.
“I think there is still some exploration on implementation to do, but that's fine to do outside of the RFC as the overall approach won't change,” he said.
“We should include testing of the different behaviors of different package managers as part of the implementation before release. My feeling is that adding an optional dependency that isn't installed by default doesn't constitute a breaking change, but it really comes down to the user experience.”
Nearly five years ago, a similar RFC was proposed but core contributors could not come to an agreement. At that time Zakas did not support the idea.
“I think it's an interesting proposal but not one I can support,” Zakas commented in response to a 2019 PR for adding support for TS config files. “The primary reason is that I don't think it's a good idea to build TypeScript directly into the ESLint core. I've never wanted ESLint to be a kingmaker in the JavaScript ecosystem, where things that get into ESLint get considered ‘official’ or ‘supported.’”
This approved RFC is a major acknowledgement of the explosive growth and immense popularity of TypeScript. ESLint has more than 36.8 million weekly downloads on npm and is used at major companies like Microsoft, Airbnb, Netflix, and Facebook. The @typescript-eslint/parser package, which is specifically for TypeScript, receives 25.8 million weekly downloads on npm. This implies that approximately 70% of ESLint users are using it for TypeScript projects.
More than 19.8 million projects have ESLint as a dependency, which gives a clear indication of its place as a cornerstone for maintaining code quality and enforcing coding standards. The project’s approval for seamlessly supporting TypeScript configuration files will hopefully lead to reduced initial setup time and a better developer experience for a significant number of TypeScript developers using ESLint.
Subscribe to our newsletter
Get notified when we publish new security blog posts!
Try it now
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.