Security News
pnpm 10.0.0 Blocks Lifecycle Scripts by Default
pnpm 10 blocks lifecycle scripts by default to improve security, addressing supply chain attack risks but sparking debate over compatibility and workflow changes.
@aurodesignsystem/auro-library
Advanced tools
This repository holds shared scripts, utilities, and workflows utilized across repositories along the Auro Design System.
This repository holds shared scripts, utilities, and workflows utilized across repositories along the Auro Design System.
This is an automated workflow that utilizes GitHub Actions to generate surge demos. Upon making any change to a PR a comment will be added or updated on the PR with a link to the demo similar to the following:
Surge demo deployment succeeded! 🚀🚀🚀
[Auro Web Component Generator](https://surge.sh/)
This workflow utilizes the file ./scripts/config/useBundles.js
to update the demo HTML files to use the bundled versions of components so that they can be supported staticly in surge.
In order to add this functionality to an auro component you just need to add the following snippet into the publishDemo.yml
file in the ./.github/workflows
directory.
name: Deploy Demo
on:
pull_request:
branches: [ main ]
jobs:
call-publish-demo-workflow:
uses: AlaskaAirlines/auro-library/.github/workflows/publishDemo.yml@main
secrets:
SURGE_TOKEN: ${{secrets.AURO_SURGE_TOKEN}}
Note: This will only work properly in components located in the "AlaskaAirlines" organization due to a dependency on the org-wide Actions secret
AURO_SURGE_TOKEN
.
Afterwards you will want to make sure to update the script tags you want replaced with bundles in your ./demo/*.html
files with the data-demo-scripts="true"
attribute.
-- <script type="module" src="../index.js"></script>
++ <script type="module" src="../index.js" data-demo-script="true"></script>
Note: If you fail to do this, the components will fail to register in your demo.
This workflow works to automatically delete and clear any surge demos that have been active for more than 2+ months. Surge in theory allows us to have an infinite amount of active pages but by clearing unused and stale demos we can keep our Surge account more organized in the future.
Note: This workflow executes on a monthly cronjob on the first of each month.
In order to clear all our surge projects we rely on this GitHub Action to handle the deletion logic.
This is a two part utility for the purpose of generating a custom string for dependency component tag naming. This is important to prevent version conflicts when multiple versions of a given Auro component may be loaded on a single page.
Note: The example configuration used below in all code samples assumes auro-dropdown
is the dependency component. Substitute any Auro component in the example code as needed.
./scripts/version.js
with the following content:const versionWriter = require("./versionWriter"); // need to update this with the right path when used from node_modules
versionWriter.writeDepVersionFile('@aurodesignsystem/auro-dropdown'); // duplicate this line for each Auro dependency.
package.json
file:"build:version": "node scripts/version.js"
build:version
script in package.json
should be added as the first step of the build
script."build": "npm-run-all build:version ... etc.",
Once configuration is complete, execute npm run build
. This must be done once before npm run dev
when developing locally. When Auro dependencies are initially installed or updated to new versions then npm run build:version
or a complete npm run build
must be executed.
Upon execution of build:version
, for each Auro dependency defined in the ./scripts/version.js
file, a new JS file will be created that contains the installed version of the dependency.
For example, following these steps:
npm i @aurodesignsystem/auro-dropdown@1.0.0
./scripts/version.js
script file:versionWriter.writeDepVersionFile('@aurodesignsystem/auro-dropdown');
npm run build
Will result in:
./src/dropdownVersion.js
export default '1.0.0'
In the main component JS file located in the ./src
directory add the following:
import { AuroDependencyVersioning } from "../scripts/dependencyTagVersioning.mjs";
import { AuroDropdown } from '@aurodesignsystem/auro-dropdown/src/auro-dropdown.js';
import dropdownVersion from './dropdownVersion';
In the components constructor add the following:
const versioning = new AuroDependencyVersioning();
this.dropdownTag = versioning.generateTag('auro-dropdown', dropdownVersion, AuroDropdown);
In the component properties add the following:
/**
* @private
*/
dropdownTag: { type: Object }
The new dynamically named version of auro-dropdown
may now be used in your component template as follows:
render() {
return html`
<div>
<${this.dropdownTag}></${this.dropdownTag}>
</div>
`;
}
When the component is rendered during runtime the DOM will now show up as follows:
<div>
<auro-dropdown_1_0_0></auro-dropdown_1_0_0>
</div>
Note: the numbers attached in the tag name will match the version of the dependency that was installed.
The dynamic component is accessible using a the following string in a JS query selector:
this.dropdownTag._$litStatic$
firstUpdated() {
this.dropdown = this.shadowRoot.querySelector(this.dropdownTag._$litStatic$);
};
syncAllTemplates.mjs
ScriptTo run the syncAllTemplates.mjs
script, you will need to add a new node script into the linked component and point that to the syncAllTemplates.mjs
file. You can individually run the workflow configurations by pointing to the syncAllTemplates.mjs
file and adding a --github
parameter after the path. The same can be done for the linter configurations by adding a --linters
parameter.
// Default
"syncTemplates": "./node_modules/@aurodesignsystem/auro-library/scripts/config/syncAllTemplates.mjs"
// Only sync github workflow templates
"syncTemplates": "./node_modules/@aurodesignsystem/auro-library/scripts/config/syncAllTemplates.mjs --github"
// Only sync linter configuration templates
"syncTemplates": "./node_modules/@aurodesignsystem/auro-library/scripts/config/syncAllTemplates.mjs --linters"
generateWcaComponent.mjs
ScriptTo run the generateWcaComponent.mjs
script, you need to provide the file paths for the components you want to process with WCA. This script should be executed only once after adding a new component to the project. Upon running the script, .js
files will be generated in the scripts/wca
folder.
// Common case: 1 component in 1 project
"build:api:prepare": "node ./node_modules/@aurodesignsystem/auro-library/scripts/generateWcaComponent.mjs 'src/auro-flight.js'"
// multiple components in 1 project
"build:api:prepare": "node ./node_modules/@aurodesignsystem/auro-library/scripts/config/syncAllTemplates.mjs 'src/auro-flight*.js'"
FAQs
This repository holds shared scripts, utilities, and workflows utilized across repositories along the Auro Design System.
The npm package @aurodesignsystem/auro-library receives a total of 15,928 weekly downloads. As such, @aurodesignsystem/auro-library popularity was classified as popular.
We found that @aurodesignsystem/auro-library demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 0 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
pnpm 10 blocks lifecycle scripts by default to improve security, addressing supply chain attack risks but sparking debate over compatibility and workflow changes.
Product
Socket now supports uv.lock files to ensure consistent, secure dependency resolution for Python projects and enhance supply chain security.
Research
Security News
Socket researchers have discovered multiple malicious npm packages targeting Solana private keys, abusing Gmail to exfiltrate the data and drain Solana wallets.