🚨 Shai-Hulud Strikes Again:More than 500 packages and 700+ versions compromised.Technical Analysis β†’
Socket
Book a DemoInstallSign in
Socket
Book a DemoInstallSign in

@esy-nightly/esy

Package Overview
Dependencies
Maintainers
3
Versions
615
Alerts
File Explorer

Advanced tools

License
Socket logo

Install Socket

Detect and block malicious and high-risk dependencies

Install

@esy-nightly/esy

Package builder for esy.

npmnpm
Version
0.7.2-27-ga18fbd93
Version published
Weekly downloads
42
7.69%
Maintainers
3
Weekly downloads
Β 
Created
Source

esy

package.json workflow for native development with Reason/OCaml

Build Status

This README serves as a development documentation for esy. For user documentation refer to esy.sh documentation site.

Repository structure

The following snippet lists esy repository structured (omitting irrelevant or obvious items) with further explanations:

β”œβ”€β”€ CHANGELOG.md
β”œβ”€β”€ LICENSE
β”œβ”€β”€ README.md
β”‚
β”œβ”€β”€ Makefile
β”‚   Common tasks and workflows for esy development.
β”‚
β”œβ”€β”€ bin/esy
β”‚   symlink (wrapper on Windows) for esy command, used for running tests
β”‚
β”œβ”€β”€ bin/esyInstallRelease.js
β”‚   postinstall step for npm releases produced with `esy npm-release`
β”‚   command. This is a built JS file which is developed in a separate flow
β”‚   inside `esy-install-npm-release/` subdirectory (see below).
β”‚
β”œβ”€β”€ docs
β”‚   esy end user documentation in markdown format.
β”‚
β”œβ”€β”€ dune
β”œβ”€β”€ dune-project
β”‚
β”œβ”€β”€ esy
β”‚   This dune library implements sandbox builder - a routine which builds
β”‚   the entire dependency graph and provides other introspection APIs.
β”‚
β”œβ”€β”€ esy/bin
β”‚   This dune executable implements "esy" command.
β”‚
β”œβ”€β”€ esy-solve
β”‚   This dune library implements solver.
β”‚
β”œβ”€β”€ esy-fetch
β”‚   This dune library implements installer - fetching and installing of package sources
β”‚
β”œβ”€β”€ esy-build-package
β”‚   This dune library implements package builder. esy library uses this to
β”‚   build each package.
β”‚
β”œβ”€β”€ esy-build-package/bin
β”‚   This dune executable implements "esy-build-package" command.
β”‚
β”œβ”€β”€ esy-install-npm-release
β”‚   Sources for `bin/esyInstallRelease.js`.
β”‚
β”œβ”€β”€ esy-command-expression
β”‚   Parser for #{...} syntax used in esy manifests.
β”‚
β”œβ”€β”€ esy-shell-expansion
β”‚   A simple shell expansion.
β”‚
β”œβ”€β”€ esy-lib
β”‚   A collection of utility modules shared between other libraries.
β”‚
β”œβ”€β”€ site
β”‚   Sources for https://esy.sh
β”‚
β”œβ”€β”€ esy.lock
β”‚   Lock files. Esy uses itself for development
β”‚
β”œβ”€β”€ package.json
β”‚   Manifest for yarn to manage NPM dependencies of this project
β”‚
β”œβ”€β”€ scripts
β”‚
β”œβ”€β”€ test
β”‚   Unit tests.
β”‚
β”œβ”€β”€ test-e2e-slow
β”‚   End-to-end test suite which takes a significant amount of time since they're 
β”‚   not mocked or rarely so.
β”‚   We execute it on CI by placing `@slowtest` token in commit messages.
β”‚
└── test-e2e
    End-to-end test suite that dont need the network. Heavily mocked

Workflow

To make changes to esy and test them locally:

% git clone  --recurse-submodules git://github.com/esy/esy.git
% cd esy # Change to the cloned directory
% esy # install and build dependencies

And then run newly built esy executable from anywhere by adding PATH_TO_REPO/_build/install/default/bin to the $PATH during the shell's session. On Windows, append PATH_TO_REPO/bin too.

Updating bin/esyInstallRelease.js

bin/esyInstallRelease.js is developed separately within the esy-install-npm-release/ directory.

Run:

% make bin/esyInstallRelease.js

to update the bin/esyInstallRelease.js file with the latest changed, don't forget to commit it.

Running Tests

esy has primarily 3 kinds of tests.

  • Unit tests - useful when developing parsers etc
  • Slow end-to-end tests
  • Fast end-to-end tests

Unit Tests

These are present inline in the *.re files. To run them,

esy b dune runtest

Fast end-to-end tests

These are present in test-e2e folder and are written in JS. They're run by jest

yarn jest

Slow end-to-end tests

They're present in test-e2e-slow and are written in JS. They're supposed to mimick the user's workflow as closely as possible.

By placing @slowtest token in commit messages, we mark the commit ready for the slow tests framework (tests that hit the network). They are run with node test-e2e-slow/run-slow-tests.js

Windows

In cases e2e tests fail with Host key verification failed., you might have to create ssh keys in the cygwin shall and add them to your github profile.

  • Enter cygwin installed by esy (not the global one)
.\node_modules\esy-bash\re\_build\default\bin\EsyBash.exe bash
  • Generate ssh keys
ssh-keygen

  • Add the public key to you Github profile

  • Add the following to the bash rc of the cygwin instance

eval $(ssh-agent -s)
ssh-add ~/.ssh/id_rsa

Branches

There are two branches:

  • master β€” the active development, we cut new versions out of there regularly.
  • 0.0.x β€” maintainance branch for 0.0.x releases.
  • 0.2.x β€” maintainance branch for 0.2.x releases.
  • 0.3.x β€” maintainance branch for 0.3.x releases.

Workflow for esy.sh

To make changes to esy.sh:

  • Bootstrap site's dev environment:
% make site-bootstrap
  • Run site locally:
% make site-start
  • When you are happy with the changes:
% make site-publish

Issues

Issues are tracked at esy/esy.

Publishing Releases

esy is released on npm.

Because esy is written in OCaml/Reason and compiled into a native executable we need to acquire a set of prebuilt binaries for each supported platform (Windows, macOS and Linux). We employ CI servers (thanks Azure) to build platform specific releases.

The release workflow is the following:

  • Ensure you are on master branch and assuming you want to release the version currently defined in package.json (see step 6.), run

    % make release-tag
% git push && git push --tags

  • Wait till CI finishes its task and release @esy-nightly/esy package.

    You can test it manually.

  • Run

    % make release-prepare

    which downloads the nightly corresponding to the current commit working directory is at and "promotes" it to a release. It will create _release/package directory.

  • Ensure release inside _release/package directory is ok.

    You can cd _release/package && npm pack && npm install -g ./esy-*.tgz to test how release installs and feels.

  • Run

    % make release-publish

    to upload the release on npm.

    Use

    % make NPM_RELEASE_TAG=next release-publish

    to publish the release under next tag (so users won't get it automatically but only explicitly requested).

  • Bump version in package.json to the next patch version.

    We expect the next version to be mostly a patch version. In case you want to release new minor or major version you need to bump it before the release.

FAQs

Package last updated on 30 Nov 2023

Did you know?

Socket

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Install

Related posts

Shai Hulud Strikes Again (v2)

Research

/

Security News

Shai Hulud Strikes Again (v2)

Another wave of Shai-Hulud campaign has hit npm with more than 500 packages and 700+ versions affected.

By Socket Research TeamΒ  - Β Nov 24, 2025
Introducing Webhook Events for Alert Changes

Product

Introducing Webhook Events for Alert Changes

Add real-time Socket webhook events to your workflows to automatically receive software supply chain alert changes in real time.

By Phil Gates-IdemΒ  - Β Nov 21, 2025