Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
@microsoft/api-extractor
Advanced tools
Analyze the exported API for a TypeScript library and generate reviews, documentation, and .d.ts rollups
@microsoft/api-extractor is a tool for managing and analyzing the public API surface of a TypeScript library. It helps in generating API reports, creating API documentation, and ensuring API compatibility.
Generate API Report
This feature allows you to generate an API report for your TypeScript library. The report includes details about the public API surface, which can be used for documentation and compatibility checks.
const { Extractor, ExtractorConfig } = require('@microsoft/api-extractor');
const path = require('path');
const configPath = path.join(__dirname, 'api-extractor.json');
const extractorConfig = ExtractorConfig.loadFileAndPrepare(configPath);
const extractorResult = Extractor.invoke(extractorConfig, {
localBuild: true,
showVerboseMessages: true
});
if (extractorResult.succeeded) {
console.log('API Extractor completed successfully');
} else {
console.error(`API Extractor completed with ${extractorResult.errorCount} errors`);
}
Generate API Documentation
This feature allows you to generate API documentation from the TypeScript library. The documentation is based on the public API surface and can be used for reference and development purposes.
const { Extractor, ExtractorConfig } = require('@microsoft/api-extractor');
const path = require('path');
const configPath = path.join(__dirname, 'api-extractor.json');
const extractorConfig = ExtractorConfig.loadFileAndPrepare(configPath);
const extractorResult = Extractor.invoke(extractorConfig, {
localBuild: true,
showVerboseMessages: true
});
if (extractorResult.succeeded) {
console.log('API documentation generated successfully');
} else {
console.error(`API documentation generation failed with ${extractorResult.errorCount} errors`);
}
Ensure API Compatibility
This feature allows you to ensure API compatibility by comparing the current API surface with a previously generated API report. It helps in maintaining backward compatibility and avoiding breaking changes.
const { Extractor, ExtractorConfig } = require('@microsoft/api-extractor');
const path = require('path');
const configPath = path.join(__dirname, 'api-extractor.json');
const extractorConfig = ExtractorConfig.loadFileAndPrepare(configPath);
const extractorResult = Extractor.invoke(extractorConfig, {
localBuild: true,
showVerboseMessages: true
});
if (extractorResult.succeeded) {
console.log('API compatibility check passed');
} else {
console.error(`API compatibility check failed with ${extractorResult.errorCount} errors`);
}
TypeDoc is a documentation generator for TypeScript projects. It generates API documentation directly from the source code, similar to how @microsoft/api-extractor generates API reports and documentation. However, TypeDoc focuses more on generating comprehensive documentation rather than managing API surfaces.
API Documenter is another tool from Microsoft that works in conjunction with API Extractor. It generates Markdown documentation from the API reports produced by API Extractor. While API Extractor focuses on analyzing and managing the API surface, API Documenter focuses on creating readable documentation.
TSDoc is a standard for documenting TypeScript code. It provides a consistent way to write comments and generate documentation. While TSDoc itself is not a tool, it is often used in conjunction with tools like TypeDoc and API Extractor to ensure consistent and comprehensive documentation.
API Extractor helps you build better TypeScript library packages. Suppose for example that your company has published an NPM package called "awesome-widgets" that exports many classes and interfaces. As developers start to depend on your library, you may encounter issues such as...
Accidental breaks: People keep reporting that their code won't compile after a supposedly "minor" update. To address this, you boldly propose that every awesome-widgets pull request must be approved by an experienced developer from your team. But that proves unrealistic -- nobody has time to look at every single PR! What you really need is a way to detect PRs that change API contracts, and flag them for review. That would focus attention in the right place... but how to do that?
Missing exports: Suppose the awesome-widgets package exports an API function AwesomeButton.draw()
that requires a parameter of type DrawStyle
, but you forgot to export this enum. Things seem fine at first, but when a developer tries to call that function, they discover that there's no way to specify the DrawStyle
. How to avoid these oversights?
Accidental exports: You meant for your DrawHelper
class to be kept internal, but one day you realize it's being exported. When you try to remove it, consumers complain that they're using it. How do we avoid this in the future?
Alpha/Beta graduation: You want to release previews of new APIs that are not ready for prime time yet. But if you did a major SemVer bump every time these definitions evolve, the villagers would be after you with torches and pitchforks! A better approach is to designate certain classes/members as alpha quality, then promote them to beta and finally to public as they mature. But how to indicate this to your consumers? (And how to detect scoping mistakes? A public function should never return a beta result.)
*.d.ts rollup: You webpacked your library into a nice *.js bundle file -- so why ship your typings as a messy tree of lib/*.d.ts files full of private definitions? Can't we consolidate them into a tidy *.d.ts rollup file? And if you publish internal/beta/public releases, each release type should get its own *.d.ts file with appropriate trimming. Developers building a production project don't want to see a bunch of internal and beta members in their VS Code IntelliSense!
Online documentation: You have faithfully annotated each TypeScript member with nice TSDoc descriptions. Now that your library has shipped, it's time to set up a nicely formatted API reference. What tool to use?
API Extractor provides an integrated, professional-quality solution for all these problems. It is invoked at build time by your toolchain and leverages the TypeScript compiler engine to:
Best of all, API Extractor is free and open source. Join the community and create a pull request!
For more details and support resources, please visit: https://api-extractor.com/
API Extractor is part of the Rush Stack family of projects.
FAQs
Analyze the exported API for a TypeScript library and generate reviews, documentation, and .d.ts rollups
The npm package @microsoft/api-extractor receives a total of 1,059,643 weekly downloads. As such, @microsoft/api-extractor popularity was classified as popular.
We found that @microsoft/api-extractor demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 0 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.