Research
Security News
Kill Switch Hidden in npm Packages Typosquatting Chalk and Chokidar
Socket researchers found several malicious npm packages typosquatting Chalk and Chokidar, targeting Node.js developers with kill switches and data theft.
@aurodesignsystem/auro-library
Advanced tools
This repository holds shared scripts, utilities, and workflows utilized across repositories along the Auro Design System.
This repository holds shared scripts, utilities, and workflows utilized acorss repositories along the Auro Design System.
This repository holds shared scripts, utilities, and workflows utilized acorss repositories along the Auro Design System.
This workflow works to automatically delete and clear any surge demos that have been active for more than 2+ months. Surge in theory allows us to have an infinite amount of active pages but by clearing unused and stale demos we can keep our Surge account more organized in the future.
Note: This workflow exectutes on a monthly cronjob on the first of each month.
In order to clear all our surge projects we rely on this GitHub Action to handle the deletion logic.
This is a two part utility for the purpose of generating a custom string for dependency component tag naming. This is important to prevent version conflicts when multiple versions of a given Auro component may be loaded on a single page.
Note: The example configuration used below in all code samples assumes auro-dropdown
is the dependency component. Substitute any Auro component in the example code as needed.
./scripts/version.js
with the following content:const versionWriter = require("./versionWriter"); // need to update this with the right path when used from node_modules
versionWriter.writeDepVersionFile('@aurodesignsystem/auro-dropdown'); // duplicate this line for each Auro dependency.
package.json
file:"build:version": "node scripts/version.js"
build:version
script in package.json
should be added as the first step of the build
script."build": "npm-run-all build:version ... etc.",
Once configuration is complete, execute npm run build
. This must be done once before npm run dev
when developing locally. When Auro dependencies are initially installed or updated to new versions then npm run build:version
or a complete npm run build
must be executed.
Upon execution of build:version
, for each Auro dependency defined in the ./scripts/version.js
file, a new JS file will be created that contains the installed version of the dependency.
For example, following these steps:
npm i @aurodesignsystem/auro-dropdown@1.0.0
./scripts/version.js
script file:versionWriter.writeDepVersionFile('@aurodesignsystem/auro-dropdown');
npm run build
Will result in:
./src/dropdownVersion.js
export default '1.0.0'
In the main component JS file located in the ./src
directory add the following:
import { AuroDependencyVersioning } from "../scripts/dependencyTagVersioning.mjs";
import { AuroDropdown } from '@aurodesignsystem/auro-dropdown/src/auro-dropdown.js';
import dropdownVersion from './dropdownVersion';
In the components constructor add the following:
const versioning = new AuroDependencyVersioning();
this.dropdownTag = versioning.generateTag('auro-dropdown', dropdownVersion, AuroDropdown);
In the component properties add the following:
/**
* @private
*/
dropdownTag: { type: Object }
The new dynamically named version of auro-dropdown
may now be used in your component template as follows:
render() {
return html`
<div>
<${this.dropdownTag}></${this.dropdownTag}>
</div>
`;
}
When the component is rendered during runtime the DOM will now show up as follows:
<div>
<auro-dropdown_1_0_0></auro-dropdown_1_0_0>
</div>
Note: the numbers attached in the tag name will match the version of the dependency that was installed.
The dynamic component is accessible using a the following string in a JS query selector: `this.dropdownTag._$litStatic# Auro-Library
This repository holds shared scripts, utilities, and workflows utilized acorss repositories along the Auro Design System.
This repository holds shared scripts, utilities, and workflows utilized acorss repositories along the Auro Design System.
This workflow works to automatically delete and clear any surge demos that have been active for more than 2+ months. Surge in theory allows us to have an infinite amount of active pages but by clearing unused and stale demos we can keep our Surge account more organized in the future.
Note: This workflow exectutes on a monthly cronjob on the first of each month.
In order to clear all our surge projects we rely on this GitHub Action to handle the deletion logic.
firstUpdated() {
this.dropdown = this.shadowRoot.querySelector(this.dropdownTag._$litStatic$);
};
syncAllTemplates.mjs
ScriptTo run the syncAllTemplates.mjs
script, you will need to add a new node script into the linked component and point that to the syncAllTemplates.mjs
file. You can individually run the workflow configurations by pointing to the syncAllTemplates.mjs
file and adding a --github
parameter after the path. The same can be done for the linter configurations by adding a --linters
parameter.
// Default
"syncTemplates": "./node_modules/@aurodesignsystem/auro-library/scripts/config/syncAllTemplates.mjs"
// Only sync github workflow templates
"syncTemplates": "./node_modules/@aurodesignsystem/auro-library/scripts/config/syncAllTemplates.mjs --github"
// Only sync linter configuration templates
"syncTemplates": "./node_modules/@aurodesignsystem/auro-library/scripts/config/syncAllTemplates.mjs --linters"
FAQs
This repository holds shared scripts, utilities, and workflows utilized across repositories along the Auro Design System.
The npm package @aurodesignsystem/auro-library receives a total of 15,928 weekly downloads. As such, @aurodesignsystem/auro-library popularity was classified as popular.
We found that @aurodesignsystem/auro-library demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 0 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket researchers found several malicious npm packages typosquatting Chalk and Chokidar, targeting Node.js developers with kill switches and data theft.
Security News
pnpm 10 blocks lifecycle scripts by default to improve security, addressing supply chain attack risks but sparking debate over compatibility and workflow changes.
Product
Socket now supports uv.lock files to ensure consistent, secure dependency resolution for Python projects and enhance supply chain security.