Research
Security News
Malicious npm Packages Inject SSH Backdoors via Typosquatted Libraries
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
@eroc/core
Advanced tools
core is a concept introduced by Nicholas C. Zakas in this video
It helps you create scalable applications written in Javascript, giving you some structure and patterns to keep everything separated.
Conceptually, everything in your application is a module, and your modules should work independently from each other, so if one module breaks, the others should not.
The central piece is the core.
A module should never talks directly to another module, for that you use a combination of listeners and notifications.
So let's think about the twitter page, and how we could re-build it using the core concept
Everything inside a red square is a module, they work in a way that they don't depend on any other modules, and they should be programmed that way as well.
npm i @eroc/core
Raw import
import { Core, ALL, ERROR } from "./node_modules/@eroc/core/dist/core.js";
With rollup, webpack or parcel
import { Core, ALL, ERROR } from "@eroc/core";
NodeJs or Browserify
const { Core, ALL, ERROR } = require("@eroc/core");
Let's start with the tweet module.
A module exports start and optionally a stop function.
export { start, stop };
const start = function (emitter) {
return {};
};
const stop = function (instance) {
// instance is what start returned
// this allows to close open files, sockets, etc
};
To start this module in your core file:
import { Core } from "@eroc/core";
import * as exampleModule from "./exampleModule.js";
const core = new Core();
core.start(exampleModule);
Modules can only communicate via messages with other modules with the emitter received when start is called. It garantees that if a module tries to call something that doesn't exists or is broken, it won't break the module itself.
emitter.on(EVENT_NAME, function (data) {
});
emitter.emit(EVENT_NAME, { a: 7 });
To avoid spelling mistakes, import event names from a common file called eventNames.js.
You might want to stop a module in some point, this can be easily done using the method core.stop()
.
const exampleId = core.start(exampleModule);
core.stop(exampleId);
When you stop a module, the function stop
will be called, if it exists.
Now, thinking about Twitter, everytime you tweet something, it should appear on your tweet list right? but since our modules don't talk directly to each other, let's use the emitter.
First of all, our tweet
module should notify other modules that something has happened.
export { start };
const start = function(emitter) {
// For the sake of simplicity, use an interval
setInterval(function() {
emitter.emit(NEW_TWEET, {
author: 'Mauricio Soares',
text: 'core is pretty #cool'
});
}, 5 * 1000)
};
Every 5 seconds, this module notifies everything that is listening to NEW_TWEET
that something has happened. If nothing is listening to it, then nothing happens.
Our tweet-list
is going to listen for this notifications.
export { start };
const start = function (emitter) {
emitter.on(NEW_TWEET, (data) => {
// do something with the data
});
};
Cool right? If one of those modules stop working, than it won't break the other one!
module
The module as a name-space (import * as exampleModule from "./exampleModule.js")options
optional object
returns a promise that resolves with moduleInstanceId that can later be used to stop the module
const exampleInstanceId = await Core.start(exampleModule);
await core.stop(exampleInstanceId);
Constant to listen to all events
// listen for all events
core.on(ALL, ({ name, data, time }) => {
const timeString = new Date(time).toISOString();
console.debug(`${timeString} event ${String(name)} with data`, data);
});
Constant to listen to most errors
// listen for errors
core.on(ERROR, ({ time, phase, error }) => {
const timeString = new Date(time).toISOString();
console.error(`Error during phase ${phase} at ${timeString}`);
console.error(error);
});
git checkout -b my_branch
git push origin my_branch
You need NodeJS installed on your machine
npm i
npm run bundle
npm t
Core.stopAll
Core.startAll
x
to use
in Sandbox
(The MIT License)
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the 'Software'), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED 'AS IS', WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
FAQs
Lightweight framework for scalable applications
The npm package @eroc/core receives a total of 0 weekly downloads. As such, @eroc/core popularity was classified as not popular.
We found that @eroc/core demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
Security News
MITRE's 2024 CWE Top 25 highlights critical software vulnerabilities like XSS, SQL Injection, and CSRF, reflecting shifts due to a refined ranking methodology.
Security News
In this segment of the Risky Business podcast, Feross Aboukhadijeh and Patrick Gray discuss the challenges of tracking malware discovered in open source softare.