Research
Security News
Malicious npm Packages Inject SSH Backdoors via Typosquatted Libraries
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
@envsa/shared-config
Advanced tools
A collection of shared configurations for various linters and formatting tools. All managed as a single dependency, and invoked via a single command.
A collection of shared configurations for various linters and formatting tools. All managed as a single dependency, and invoked via a single command.
This project attempts to consolidate most of the configuration and tooling shared by my open-source and internal TypeScript / Node based projects into a single dependency.
It takes care of dependencies and configurations for the following tools:
.npmrc
, .gitignore
, etc.)This readme is for the @envsa/shared-config
package, which depends on a number of tool-specific packages included in the kitschpatrol/shared-config
monorepo on GitHub, each of which is documented in its respective readme, linked below:
@envsa/cspell-config
@envsa/eslint-config
@envsa/mdat-config
@envsa/prettier-config
@envsa/repo-config
@envsa/stylelint-config
Any of these may be installed and run on their own via CLI if desired. However, in general, the idea is to use @envsa/shared-config
to easily run them all simultaneously over a repo with a single command with options to either check or (where possible) fix problems, with output aggregated into a single report.
Node 18+ and pnpm are required. It probably works with NPM and yarn, but I haven't tested it.
Bootstrap a new project and open in VS Code:
git init && pnpm init && pnpm pkg set type="module" && pnpm dlx @envsa/repo-config --init && pnpm add -D @envsa/shared-config && pnpm shared-config --init && pnpm i && code .
This might overwrite certain config files, so commit first:
pnpm dlx @envsa/repo-config --init && pnpm i && pnpm add -D @envsa/shared-config && pnpm shared-config --init
Install the requisite .npmrc
:
pnpm dlx @envsa/repo-config --init
Install the package:
pnpm add -D @envsa/shared-config
Add default config files for all the tools to your project root:
pnpm shared-config --init
Add helper scripts to your package.json
:
These work a bit like npm-run-all to invoke all of the bundled tools.
"scripts": {
"format": "shared-config --fix",
"lint": "shared-config --lint",
}
Various VS Code plugins should "just work".
To lint your entire project, after configuring the package.json
as shown above:
pnpm run lint
To run all of the tools in a potentially destructive "fix" capacity:
pnpm run format
shared-config
A collection of shared configurations for various linters and formatting tools. All managed as a single dependency, and invoked via a single command.
Usage:
shared-config [<file|glob> ...]
Option | Argument | Description |
---|---|---|
--init -i | Initialize by copying starter config files to your project root. | |
--check -c | Check for and report issues. Same as shared-config . | |
--fix -f | Fix all auto-fixable issues, and report the un-fixable. | |
--print-config -p | <path> | Print the effective configuration at a certain path. |
--help -h | Print this help info. | |
--version -v | Print the package version. |
Recall that the @envsa/shared-config
package aggregates integration and invocation of the other tool-specific packages in this monorepo. Running a cli command on shared-config
effectively runs the same command against all the tool-specific packages.
Each package has a simple /src/cli.ts
file which defines the behavior of its eponymous binary. The build step turns these into node "binary" scripts, providing default implementations where feasible.
The monorepo must be kept intact, as the sub-packages depend on scripts in the parent during build.
Pnpm considers module hoisting harmful, and I tend to agree, but certain exceptions are carved out as necessary:
CSpell, mdat, ESLint, and Prettier all need to be hoisted via public-hoist-pattern
to be accessible in pnpm exec
scripts and to VS Code plugins.
Even basic file-only packages like repo-config
seem to need to be hoisted via for their bin scripts to be accessible via pnpm exec
prettier
and eslint
packages are hoisted by default in pnpm
The repo uses placeholders for the bin script for each tool to avoid circular dependency issues during pnpm install
.
To tell git to ignore changes to the placeholders, run pnpm run bin-ignore
.
For local development via pnpm
, use file:
dependency protocol instead of link:
Something to investigate: An approach to ignoring style rules in VS Code, and possibly migrate all style to
Eric Mika is the author of the original @kitschpatrol/shared-config project on which this is based.
MIT © Liam Rella
FAQs
A collection of shared configurations for various linters and formatting tools. All managed as a single dependency, and invoked via a single command.
We found that @envsa/shared-config demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 0 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
Security News
MITRE's 2024 CWE Top 25 highlights critical software vulnerabilities like XSS, SQL Injection, and CSRF, reflecting shifts due to a refined ranking methodology.
Security News
In this segment of the Risky Business podcast, Feross Aboukhadijeh and Patrick Gray discuss the challenges of tracking malware discovered in open source softare.