Research
Malicious fezbox npm Package Steals Browser Passwords from Cookies via Innovative QR Code Steganographic Technique
A malicious package uses a QR code as steganography in an innovative technique.
By Olivia Brown - Sep 22, 2025
@adeira/flow-config-parser
Advanced tools
Permissive Flow config parser.
yarn add @adeira/flow-config-parser
Supported functions
parse
Parse function doesn't do any magic. It simply takes the .flowconfig as a first argument and returns object with the config values:
import { parse } from '@adeira/flow-config-parser';
parse(`
[version]
>=0.138.0 <0.140.0
`);
Returns:
{
"declarations": [],
"ignore": [],
"include": [],
"libs": [],
"lints": null,
"options": null,
"rollouts": null,
"strict": [],
"untyped": [],
"version": ">=0.138.0 <0.140.0"
}
merge
Merge functions merges two configs together and returns the final config:
const configA = `
[options]
emoji=true
module.file_ext=.foo
module.file_ext=.bar
`;
const configB = `
[options]
emoji=false
module.file_ext=.baz
munge_underscores=false
`;
merge(configA, configB);
Returns:
# ...
[options]
emoji=false
module.file_ext=.foo
module.file_ext=.bar
module.file_ext=.baz
munge_underscores=false
# ...
print
Print function takes the parsed config and prints it into .flowconfig format:
const parsedConfig = parse(' … '); // original config
print(parsedConfig);
Caveats
This parser supports [rollouts] parsing only partially. Specifically, it omits rollout annotations when parsing. So for example, this config:
[rollouts]
formed_exports=80% on, 20% off
[options]
(formed_exports=on) experimental.well_formed_exports=true
Returns the following object after being parsed (notice the missing (formed_exports=on)):
{
"declarations": [],
"ignore": [],
"include": [],
"libs": [],
"lints": null,
"options": {
"experimental.well_formed_exports": true
},
"rollouts": {
"formed_exports": "80% on, 20% off"
},
"strict": [],
"untyped": [],
"version": null
}
It's because we didn't implement the options merging (on purpose). Rollouts seem to be quite internal and not very often used. However, we might change this if there is a real interest.
FAQs
Permissive Flow config parser.
The npm package @adeira/flow-config-parser receives a total of 0 weekly downloads. As such, @adeira/flow-config-parser popularity was classified as not popular.
We found that @adeira/flow-config-parser demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 4 open source maintainers collaborating on the project.
Package last updated on 20 May 2021
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Related posts
Research
/Security News
Identifying and Preventing Fraudulent Engineering Candidates: An Investigation into 80 Confirmed Cases
Socket identified 80 fake candidates targeting engineering roles, including suspected North Korean operators, exposing the new reality of hiring as a security function.
By Lauren Valencia, Kirill Boychenko - Sep 17, 2025
Application Security
/Research
/Security News
Updated and Ongoing Supply Chain Attack Targets CrowdStrike npm Packages
Socket detected multiple compromised CrowdStrike npm packages, continuing the "Shai-Hulud" supply chain attack that has now impacted nearly 500 packages.
By Kush Pandya, Peter van der Zee, Olivia Brown, Socket Research Team - Sep 16, 2025