Research
Security News
Malicious npm Packages Inject SSH Backdoors via Typosquatted Libraries
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
github.com/sap/cloud-mta-build-tool
Before using this package, make sure that you are familiar with the multi-target application concept and terminology. For background and detailed information, see the Multi-Target Application Model guide.
The Cloud MTA Build Tool is a standalone command-line tool that builds a deployment-ready
multitarget application (MTA) archive .mtar
file from the artifacts of an MTA project according to the project’s MTA
development descriptor (mta.yaml
file) or from module build artifacts according to the MTA deployment descriptor (mtad.yaml
file). Also, it provides commands for running intermediate build process steps; for example, the mta.yaml
file validations, building a single module according to the configurations in the development descriptor, generating the deployment descriptor, and so on.
For more information, see the Cloud MTA Build Tool user guide
This demo shows the basic usage of the tool. For more advanced scenarios, follow the documentation.
For convenience the mbt
executable is available via npmjs.com so consumers using a nodejs runtime can simply run:
npm install -g mbt@version
It is also possible to download and "install" the mbt
executable via github releases.
The Cloud MTA Build Tool published docker images on docker hub with a pre-configured set of runtime tools (nodejs/java/maven/...).
More and more npm packages use ECMAScript modules instead of commonJS, for ECMAScript modules are the official standard format to package JavaScript code for reuse. From v1.2.25, we use axios instead of binwrap(which has moderate severity vulnerabilities) to download binary files, but axios only supports ECMAScript modules and can't work on Node.js v10 and lower minor version of Node.js v11, v12, v13. The axios can work on latest version of Node.js v11.15, v12.22, v13.14. So since v1.2.25, mbt will not support Node.js v10 and lower versions, including lower minor version of Node.js v11, v12, v13.
Copyright (c) 2020 SAP SE or an SAP affiliate company. All rights reserved. This file is licensed under the Apache Software License, v. 2 except as noted otherwise in the LICENSE file. Please note that Docker images can contain other software which may be licensed under different licenses. This License file is also included in the Docker image. For any usage of built Docker images please make sure to check the licenses of the artifacts contained in the images.
Contributions are greatly appreciated. If you want to contribute, follow the guidelines.
Please follow our issue template on how to report an issue.
FAQs
Unknown package
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
Security News
MITRE's 2024 CWE Top 25 highlights critical software vulnerabilities like XSS, SQL Injection, and CSRF, reflecting shifts due to a refined ranking methodology.
Security News
In this segment of the Risky Business podcast, Feross Aboukhadijeh and Patrick Gray discuss the challenges of tracking malware discovered in open source softare.