Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
@codecov/webpack-plugin
Advanced tools
A Webpack plugin that provides bundle analysis support for Codecov.
[!NOTE] The plugin does not support code coverage, see our docs to set up coverage today!
Using npm:
npm install @codecov/webpack-plugin --save-dev
Using yarn:
yarn add @codecov/webpack-plugin --dev
Using pnpm:
pnpm add @codecov/webpack-plugin --save-dev
This configuration will automatically upload the bundle analysis to Codecov for public repositories. When an internal PR is created it will use the Codecov token set in your secrets, and if running from a forked PR, it will use the tokenless setting automatically. For setups not using GitHub Actions see the following example. For private repositories see the following example.
// webpack.config.js
const path = require("path");
const { codecovWebpackPlugin } = require("@codecov/webpack-plugin");
module.exports = {
entry: "./src/index.js",
mode: "production",
output: {
filename: "main.js",
path: path.resolve(__dirname, "dist"),
},
plugins: [
// Put the Codecov vite plugin after all other plugins
codecovWebpackPlugin({
enableBundleAnalysis: true,
bundleName: "example-webpack-bundle",
uploadToken: process.env.CODECOV_TOKEN,
gitService: "github",
}),
],
};
This setup is for public repositories that are not using GitHub Actions, this configuration will automatically upload the bundle analysis to Codecov. You will need to configure the it similar to the GitHub Actions example, however you will need to provide a branch override, and ensure that it will pass the correct branch name, and with forks including the fork-owner i.e. fork-owner:branch
.
// webpack.config.js
const path = require("path");
const { codecovWebpackPlugin } = require("@codecov/webpack-plugin");
module.exports = {
entry: "./src/index.js",
mode: "production",
output: {
filename: "main.js",
path: path.resolve(__dirname, "dist"),
},
plugins: [
// Put the Codecov vite plugin after all other plugins
codecovWebpackPlugin({
enableBundleAnalysis: true,
bundleName: "example-webpack-bundle",
uploadToken: process.env.CODECOV_TOKEN,
gitService: "github",
uploadOverrides: {
branch: "<branch value>",
},
}),
],
};
This is the required way to use the plugin for private repositories. This configuration will automatically upload the bundle analysis to Codecov.
// webpack.config.js
const path = require("path");
const { codecovWebpackPlugin } = require("@codecov/webpack-plugin");
module.exports = {
entry: "./src/index.js",
mode: "production",
output: {
filename: "main.js",
path: path.resolve(__dirname, "dist"),
},
plugins: [
// Put the Codecov vite plugin after all other plugins
codecovWebpackPlugin({
enableBundleAnalysis: true,
bundleName: "example-webpack-bundle",
uploadToken: process.env.CODECOV_TOKEN,
}),
],
};
For users with OpenID Connect (OIDC) enabled, setting the uploadToken
is not necessary. You can use OIDC with the oidc
configuration as following.
// webpack.config.js
const path = require("path");
const { codecovWebpackPlugin } = require("@codecov/webpack-plugin");
module.exports = {
entry: "./src/index.js",
mode: "production",
output: {
filename: "main.js",
path: path.resolve(__dirname, "dist"),
},
plugins: [
// Put the Codecov vite plugin after all other plugins
codecovWebpackPlugin({
enableBundleAnalysis: true,
bundleName: "example-webpack-bundle",
oidc: {
useGitHubOIDC: true,
},
}),
],
};
FAQs
Official Codecov Webpack plugin
The npm package @codecov/webpack-plugin receives a total of 35,640 weekly downloads. As such, @codecov/webpack-plugin popularity was classified as popular.
We found that @codecov/webpack-plugin demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 0 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.