Research
Security News
Quasar RAT Disguised as an npm Package for Detecting Vulnerabilities in Ethereum Smart Contracts
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
@ghuser/github-contribs
Advanced tools
List all GitHub repos a user has contributed to since the beginning of time.
List all GitHub repos a user has contributed to since the beginning of time:
$ github-contribs AurelienLourot
✔ Fetched first day at GitHub: 2015-04-04.
⚠ Be patient. The whole process might take up to an hour... Consider using --since and/or --until
✔ Fetched all commits and PRs. Consider using --issues to fetch issues as well.
35 repo(s) found:
AurelienLourot/lsankidb
reframejs/reframe
dracula/gitk
...
$ sudo npm install -g @ghuser/github-contribs
To run your local changes:
$ yarn install
$ ./cli.js --help
Thanks goes to these wonderful people (emoji key):
Aurelien Lourot 💬 💻 📖 | John Vandenberg 🐛 🤔 | Jeaye Wilkerson 🐛 | Hagar Shilo 🤔 | Romuald Brillout 🤔 |
---|
This project follows the all-contributors specification. Contributions of any kind welcome!
NOTE: if you should be on the list of contributors but we forgot you, don't be shy and let us know!
Normally in order to retrieve all repositories a user has interacted with, one should query the GitHub Events API. Unfortunately it returns only the last 90 days, so we don't use it.
Instead we noticed that the "Contribution Activity" on the profile pages queries such URLs in the background:
So we're doing the same :)
NOTES:
It seems like
created_issues
URLs don't deliver "hot issues" (issues which received more comments than others):
$ curl -s "https://github.com/users/AurelienLourot/created_issues?from=2015-09-23&to=2015-09-23" <div class="profile-rollup-content"> </div>
To get these, we also query the profile itself:
$ curl -s "https://github.com/AurelienLourot?from=2015-09-23" | grep issues/ <a class="text-gray-dark" href="/jfrog/build-info/issues/60">Publish properties aren't used by build-info-extractor-gradle?</a>
In the past we used to get the pull requests from a
created_pull_requests
URL but this got removed. We now get the pull requests from the profile itself as well:
$ curl -s "https://github.com/AurelienLourot?from=2017-08-28" | grep pull/ <a href="/tt-gf/ant-ivy/pull/2" class="content-title no-underline">
We hit a rate limit. And since it's not an official API, we can't use a token to raise the limit.
NOTE: the rate limit seems to be 40 requests / minute / endpoint / IP. Thus even if crawling a single user takes about 3 hours on a single machine, crawling many users in parallel on that same machine should still take about 3 hours.
Yes, it is since that interface isn't public. We're monitoring it1 and will react as fast as we can when it breaks.
1 ghuser.io runs
this tool every day.
github-contribs
missed some of my commits. Why?github-contribs
can only discover commits considered as
GitHub contributions,
i.e. commits that would also appear in the activity section of your GitHub profile. For example it
doesn't discover commits in forks.
2.2.2 (2018-10-13):
created_pull_requests
"endpoint" is gone.2.2.1 (2018-09-15):
2.2.0 (2018-08-09):
--issues
flag.2.1.0 (2018-06-25):
prevDay()
.2.0.0 (2018-06-25):
stringToDate()
and dateToString()
.1.0.0 (2018-06-11):
0.0.2 (2018-05-29):
0.0.1 (2018-05-29):
FAQs
List all GitHub repos a user has contributed to since the beginning of time.
We found that @ghuser/github-contribs demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
Security News
Research
A supply chain attack on Rspack's npm packages injected cryptomining malware, potentially impacting thousands of developers.
Research
Security News
Socket researchers discovered a malware campaign on npm delivering the Skuld infostealer via typosquatted packages, exposing sensitive data.