
Security News
/Research
Wallet-Draining npm Package Impersonates Nodemailer to Hijack Crypto Transactions
Malicious npm package impersonates Nodemailer and drains wallets by hijacking crypto transactions across multiple blockchains.
github.com/hashicorp/memberlist
memberlist is a Go library that manages cluster membership and member failure detection using a gossip based protocol.
The use cases for such a library are far-reaching: all distributed systems require membership, and memberlist is a re-usable solution to managing cluster membership and node failure detection.
memberlist is eventually consistent but converges quickly on average. The speed at which it converges can be heavily tuned via various knobs on the protocol. Node failures are detected and network partitions are partially tolerated by attempting to communicate to potentially dead nodes through multiple routes.
If you wish to build memberlist you'll need Go version 1.2+ installed.
Please check your installation with:
go version
Memberlist is surprisingly simple to use. An example is shown below:
/* Create the initial memberlist from a safe configuration.
Please reference the godoc for other default config types.
http://godoc.org/github.com/hashicorp/memberlist#Config
*/
list, err := memberlist.Create(memberlist.DefaultLocalConfig())
if err != nil {
panic("Failed to create memberlist: " + err.Error())
}
// Join an existing cluster by specifying at least one known member.
n, err := list.Join([]string{"1.2.3.4"})
if err != nil {
panic("Failed to join cluster: " + err.Error())
}
// Ask for members of the cluster
for _, member := range list.Members() {
fmt.Printf("Member: %s %s\n", member.Name, member.Addr)
}
// Continue doing whatever you need, memberlist will maintain membership
// information in the background. Delegates can be used for receiving
// events when members join or leave.
The most difficult part of memberlist is configuring it since it has many available knobs in order to tune state propagation delay and convergence times. Memberlist provides a default configuration that offers a good starting point, but errs on the side of caution, choosing values that are optimized for higher convergence at the cost of higher bandwidth usage.
For complete documentation, see the associated Godoc.
memberlist is based on "SWIM: Scalable Weakly-consistent Infection-style Process Group Membership Protocol". However, we extend the protocol in a number of ways:
For details on all of these extensions, please read our paper "Lifeguard : SWIM-ing with Situational Awareness", along with the memberlist source. We welcome any questions related to the protocol on our issue tracker.
This library can emit metrics using either github.com/armon/go-metrics
or github.com/hashicorp/go-metrics
. Choosing between the libraries is controlled via build tags.
Build Tags
armonmetrics
- Using this tag will cause metrics to be routed to armon/go-metrics
hashicorpmetrics
- Using this tag will cause all metrics to be routed to hashicorp/go-metrics
If no build tag is specified, the default behavior is to use armon/go-metrics
.
Deprecating armon/go-metrics
Emitting metrics to armon/go-metrics
is officially deprecated. Usage of armon/go-metrics
will remain the default until mid-2025 with opt-in support continuing to the end of 2025.
Migration
To migrate an application currently using the older armon/go-metrics
to instead use hashicorp/go-metrics
the following should be done.
armon/go-metrics
to consume hashicorp/go-metrics/compat
instead. This should involve only changing import statements. All repositories in the hashicorp
namespacehashicorp/go-metrics
for configuring metrics export instead of armon/go-metrics
github.com/armon/go-metrics
with github.com/hashicorp/go-metrics
hashicorpmetrics
tag.Eventually once the default behavior changes to use hashicorp/go-metrics
by default (mid-2025), you can drop the hashicorpmetrics
build tag.
FAQs
Unknown package
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
/Research
Malicious npm package impersonates Nodemailer and drains wallets by hijacking crypto transactions across multiple blockchains.
Security News
This episode explores the hard problem of reachability analysis, from static analysis limits to handling dynamic languages and massive dependency trees.
Security News
/Research
Malicious Nx npm versions stole secrets and wallet info using AI CLI tools; Socket’s AI scanner detected the supply chain attack and flagged the malware.