Research
Security News
Malicious npm Packages Inject SSH Backdoors via Typosquatted Libraries
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
@cypress/commit-message-install
Advanced tools
NPM install a package by name taken from the last commit message
NPM install a package by name taken from the last commit message
Requires Node version 6 or above.
npm install --save-dev @cypress/commit-message-install
yarn add -D @cypress/commit-message-install
or globally
npm i -g @cypress/commit-message-install
yarn global @cypress/commit-message-install
We are trying to use the same minimum version of Node as Cypress
Imagine you have a CI build that installs NPM dependencies, but you also want to
override one or more dependencies and test by creating a commit. Instead of changing
package.json
you can make a commit message with embedded JSON block describing
custom installation. Then use this CLI tool to install based on the commit message.
Example CI file command
- npm i -g @cypress/commit-message-install
- commit-message-install
If commit message is this
this will install package debug and chalk and while
installing them will set environment variable FOO to "bar".
The install will happen on all platforms
```json
{
"platform": "*",
"architecture": "x64",
"packages": "debug,chalk"
}
```
Happy installation
note platform
can be *
or specific one like darwin
(from Node os.platform()
) or a list of several platforms like darwin,linux
. architecture
is usually 64 bit x64
as returned by os.arch()
.
You can install using commit message from a specific commit (not the current one)
$ $(npm bin)/commit-message-install --sha f81a00
You can specify a command to run if commit message has no JSON block. For example you can install default dependency
$ $(npm bin)/commit-message-install --else "npm install foo-bar"
If the commit message allows a specific platform, you can run any command, while setting environment variables from the commit message. For example if th commit message embeds the following JSON block
{
"platform": "win32",
"env": {
"FOO": "bar"
}
}
and the CI has command run-if echo Foo is \\$FOO
, then on Windows CI it will print
Foo is bar
and on other platforms it will skip this step.
In general, if you use commit-message-install
on the CI, then you should use run-if
command as well!
For example, here are CircleCI steps that install default dependencies, but then run
conditional steps
steps:
- checkout
- run: npm install
- run: $(npm bin)/commit-message-install
- run: $(npm bin)/run-if $(npm bin)/cypress version
- run: DEBUG=cypress:cli $(npm bin)/run-if $(npm bin)/cypress verify
Very useful to notify other projects asynchronously via GitHub commit states.
$(npm bin)/set-status --label "context label" --state success --description "short message"
State can be "error", "pending", "failure" or "success". --label
is optional, if not set, then the platform and the package name will be used.
You can use script has-message
to check if the last or a specific commit has JSON commit information block
$(npm bin)/has-message
$(npm bin)/has-message --sha f81a00
If there is a message in the commit's body the script will exit with code 0. Otherwise it will exit with code 1.
See commit-message-install-example repo for an example. Here is CircleCI halting if there is no commit message JSON
# install tool locally
- run: npm install @cypress/commit-message-install
- run: |
if ! $(npm bin)/has-message; then
echo Stopping early, no commit message
circleci-agent step halt
else
echo All good, found commit message JSON
fi
# install tool globally using Yarn
- run: yarn global @cypress/commit-message-install
- run: |
if ! has-message; then
echo Stopping early, no commit message
circleci-agent step halt
else
echo All good, found commit message JSON
fi
Extracts JSON block from the current Git message text
const {getJsonFromGit} = require('@cypress/commit-message-install')
getJsonFromGit()
.then(json => {
// {platform: 'win32', packages: 'foo', branch: 'test-branch'}
})
If there is no valid JSON object in the message, resolves with undefined
.
You can form good Json object to be included in markdown json
block in the body of
the commit message using provided function
const {getInstallJson} = require('@cypress/commit-message-install')
// package(s), env, platform, branch name (optional)
const json = getInstallJson('foo',
{foo: 42}, 'linux', 'test-branch', 'b7ccfd8')
// returns an object
// {
// platform: "linux",
// env: {foo: 42},
// packages: "foo",
// branch: "test-branch",
// commit: "b7ccfd8"
// }
You can pass individual package name like debug
or several as a single string
debug chalk
or a list ['debug', 'chalk']
You can pass for platform either individual os.platform()
or a "*"" for all, and even
several platforms like win32,linux
or linux|darwin
.
After getting JSON from a commit message you can install dependencies
const {getInstallJson, npmInstall} = require('@cypress/commit-message-install')
getInstallJson()
.then(npmInstall)
DEBUG=commit-message-install
environment variable set--file <filename>
optionAuthor: Gleb Bahmutov <gleb.bahmutov@gmail.com> © 2017
License: MIT - do anything with the code, but don't blame me if it does not work.
Support: if you find any problems with this module, email / tweet / open issue on Github
Copyright (c) 2017 Cypress.io
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
FAQs
NPM install a package by name taken from the last commit message
We found that @cypress/commit-message-install demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
Security News
MITRE's 2024 CWE Top 25 highlights critical software vulnerabilities like XSS, SQL Injection, and CSRF, reflecting shifts due to a refined ranking methodology.
Security News
In this segment of the Risky Business podcast, Feross Aboukhadijeh and Patrick Gray discuss the challenges of tracking malware discovered in open source softare.