![Malicious npm Package Typosquats react-login-page to Deploy Keylogger](https://cdn.sanity.io/images/cgdhsj6q/production/007b21d9cf9e03ae0bb3f577d1bd59b9d715645a-1024x1024.webp?w=400&fit=max&auto=format)
Research
Security News
Malicious npm Package Typosquats react-login-page to Deploy Keylogger
Socket researchers unpack a typosquatting package with malicious code that logs keystrokes and exfiltrates sensitive data to a remote server.
@antfu/ni
Advanced tools
Package description
@antfu/ni is a command-line tool that provides a unified interface for package managers like npm, yarn, and pnpm. It simplifies the process of managing dependencies by automatically detecting the package manager used in a project and running the appropriate commands.
Install Dependencies
The `ni` command installs dependencies in the current project. It automatically detects the package manager used (npm, yarn, or pnpm) and runs the corresponding install command.
ni
Add a Dependency
The `ni <package>` command adds a new dependency to the project. It detects the package manager and runs the appropriate command to add the specified package.
ni axios
Remove a Dependency
The `nr <package>` command removes a dependency from the project. It detects the package manager and runs the appropriate command to remove the specified package.
nr axios
Upgrade Dependencies
The `nu` command upgrades all dependencies in the project. It detects the package manager and runs the appropriate command to upgrade the dependencies.
nu
Run Scripts
The `ni run <script>` command runs a script defined in the project's package.json file. It detects the package manager and runs the appropriate command to execute the script.
ni run build
npm is the default package manager for Node.js. It provides a wide range of commands for managing dependencies, running scripts, and more. Unlike @antfu/ni, npm does not automatically detect other package managers.
Yarn is a fast, reliable, and secure dependency management tool. It offers similar functionalities to npm but with a focus on speed and reliability. Yarn does not provide a unified interface for other package managers like @antfu/ni.
pnpm is a fast, disk space-efficient package manager. It uses a unique symlink-based approach to manage dependencies. Like npm and yarn, pnpm does not offer a unified interface for other package managers.
Readme
npm i
in a yarn project, again? F**k!
ni - use the right package manager
npm i -g @antfu/ni ni
ni
- installni
# npm install
# yarn install
# pnpm install
ni axios
# npm i axios
# yarn add axios
# pnpm i axios
ni @types/node -D
# npm i @types/node -D
# yarn add @types/node -D
# pnpm i @types/node -D
ni --frozen
# npm ci
# yarn install --frozen-lockfile
# pnpm install --frozen-lockfile
ni -g iroiro
# npm i -g iroiro
# yarn global add iroiro
# pnpm i -g iroiro
# this uses default agent, regardless CWD
nr
- runnr dev --port=3000
# npm run dev -- --port=3000
# yarn run dev --port=3000
# pnpm run dev -- --port=3000
nr
# interactively select the script to run
nci
- clean installnci
# npm ci
# yarn install --frozen-lockfile
# pnpm install --frozen-lockfile
if the corresponding node manager is not present, this command will install it globally along the way.
; ~/.nirc
; default agent will be used for global installs
; and the fallback when no lock found.
defaultAgent=npm
ni assumes that you work with lockfiles (and you should)
Before it runs, it will detect your yarn.lock
/ pnpm-lock.yaml
/ package-lock.json
to know current package manager, and runs the corresponding commands.
FAQs
Unknown package
We found that @antfu/ni demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket researchers unpack a typosquatting package with malicious code that logs keystrokes and exfiltrates sensitive data to a remote server.
Security News
The JavaScript community has launched the e18e initiative to improve ecosystem performance by cleaning up dependency trees, speeding up critical parts of the ecosystem, and documenting lighter alternatives to established tools.
Product
Socket now supports four distinct alert actions instead of the previous two, and alert triaging allows users to override the actions taken for all individual alerts.