Security News
The Hidden Blast Radius of the Axios Compromise
The Axios compromise shows how time-dependent dependency resolution makes exposure harder to detect and contain.
By Ahmad Nassri - Apr 01, 2026
New Research: Supply Chain Attack on Axios Pulls Malicious Dependency from npm.Details → →
@labz/semver
Advanced tools
labz-semver-npm
Testes de publicação de pacotes npm na org @labz
npmjs.com é utilizado para armazenar e versionar assets, mas não possui CDN próprio. Para isso existem duas soluções, jsdelivr.net e unpkg.com
O pacote público npm se chama: @labz/semver utilizando Versionamento Semântico 2.0.0
Setup
O mínimo necessário para publicar um package npm é o seguinte:
mkdir semver
cd semver
npm init --scope=@labz --force
echo 'alert("@labz/semver@0.0.0")' > index.js
npm publish --access public
output:
npm notice
npm notice 📦 @labz/semver@0.0.0
npm notice === Tarball Contents ===
npm notice 28B index.js
npm notice 340B package.json
npm notice 964B README.md
npm notice === Tarball Details ===
npm notice name: @labz/semver
npm notice version: 0.0.0
npm notice package size: 842 B
npm notice unpacked size: 1.3 kB
npm notice shasum: 36e0ffc1b9018b9d5b9f7fd70b31946194138248
npm notice integrity: sha512-6fpiPOJHA7MQq[...]NFqIPEB0OZlwQ==
npm notice total files: 3
npm notice
+ @labz/semver@0.0.0
Publish
Utilizar tag para não atrapalhar versões em produção: (dev, test, beta, alpha, next. A tag padrão é latest)
npm publish --tag dev
curl -Li https://unpkg.com/@labz/semver@dev
Apenas ver quais arquivos serão enviados no package:
npm publish --dry-run
CDN
jsdelivr faz cache que precisa ser purged para limpar
curl -I https://cdn.jsdelivr.net/npm/@labz/semver
HTTP/2 200
access-control-allow-origin: *
access-control-expose-headers: *
timing-allow-origin: *
cache-control: public, max-age=604800, s-maxage=43200
x-content-type-options: nosniff
strict-transport-security: max-age=31536000; includeSubDomains; preload
content-type: application/javascript; charset=utf-8
etag: W/"f3-/lk7X7oGrYFrvMYtCzq4XR/K2vY"
accept-ranges: bytes
date: Tue, 14 Jul 2020 05:15:14 GMT
age: 564
x-served-by: cache-fra19160-FRA, cache-gru17139-GRU
x-cache: HIT, HIT
vary: Accept-Encoding
content-length: 243
unpkg redireciona para a versão final, fazendo cache no browser de 1 minuto e no CDN de 10 minutos.
curl -LI https://unpkg.com/@labz/semver
HTTP/2 302
date: Tue, 14 Jul 2020 05:16:38 GMT
content-type: text/plain; charset=utf-8
content-length: 41
access-control-allow-origin: *
cache-control: public, s-maxage=600, max-age=60
location: /@labz/semver@0.0.0
vary: Accept
x-cloud-trace-context: dc84e19e140a5953ce518ce94806e67c
cf-cache-status: HIT
age: 34
cf-request-id: 03ed59f7690000f66f232b6200000001
expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
strict-transport-security: max-age=31536000; includeSubDomains; preload
x-content-type-options: nosniff
server: cloudflare
cf-ray: 5b28c5d24969f66f-GRU
HTTP/2 302
date: Tue, 14 Jul 2020 05:16:38 GMT
content-type: text/plain; charset=utf-8
content-length: 50
access-control-allow-origin: *
cache-control: public, max-age=31536000
location: /@labz/semver@0.0.0/index.js
vary: Accept
x-cloud-trace-context: 7875e958b1a50645050087c061365fe0
cf-cache-status: HIT
age: 703
cf-request-id: 03ed59f7870000f66f232b8200000001
expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
strict-transport-security: max-age=31536000; includeSubDomains; preload
x-content-type-options: nosniff
server: cloudflare
cf-ray: 5b28c5d27986f66f-GRU
HTTP/2 200
date: Tue, 14 Jul 2020 05:16:38 GMT
content-type: application/javascript; charset=utf-8
vary: Accept-Encoding
access-control-allow-origin: *
cache-control: public, max-age=31536000
last-modified: Sat, 26 Oct 1985 08:15:00 GMT
etag: W/"1c-6QAw92pHlwg0xuXK4Rodk9Nmqxc"
x-cloud-trace-context: b811446b34cffe5c6cc130c74299819e
cf-cache-status: HIT
age: 888
cf-request-id: 03ed59f7a60000f66f232c0200000001
expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
strict-transport-security: max-age=31536000; includeSubDomains; preload
x-content-type-options: nosniff
server: cloudflare
cf-ray: 5b28c5d2a9b8f66f-GRU
FAQs
Testes de publicação de pacotes npm na org @labz
We found that @labz/semver demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Package last updated on 13 Aug 2020
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Related posts
Research
Supply Chain Attack on Axios Pulls Malicious Dependency from npm
A supply chain attack on Axios introduced a malicious dependency, plain-crypto-js@4.2.1, published minutes earlier and absent from the project’s GitHub releases.
By Socket Research Team - Mar 31, 2026
Research
TeamPCP Compromises Telnyx Python SDK to Deliver Credential-Stealing Malware
Malicious versions of the Telnyx Python SDK on PyPI delivered credential-stealing malware via a multi-stage supply chain attack.
By Socket Research Team - Mar 27, 2026