Research
2025 Report: Destructive Malware in Open Source Packages
Destructive malware is rising across open source registries, using delays and kill switches to wipe code, break builds, and disrupt CI/CD.
By Kush Pandya - Dec 24, 2025
@microsoft/rush-lib
Advanced tools
@microsoft/rush-lib
This is a companion package for the Rush tool. See the @microsoft/rush package for details.
The rush-lib package implements the rush.json config file loader and some other helpful utilities. Tools that want to reuse this functionality can install rush-lib alone to avoid inadvertently adding another "rush" executable to the command-line path (which might interfere with the globally installed Rush).
The @microsoft/rush version number is always exactly equal to the @microsoft/rush-lib version number that it depends on.
API documentation for this package: https://rushjs.io/pages/advanced/api/
Links
- CHANGELOG.md - Find out what's new in the latest version
- API Reference
Rush is part of the Rush Stack family of projects.
Other packages similar to @microsoft/rush-lib
lerna
Lerna is a popular tool for managing JavaScript projects with multiple packages. It optimizes the workflow around managing multi-package repositories with git and npm. Compared to @microsoft/rush-lib, Lerna is more focused on JavaScript and TypeScript projects and offers a simpler setup, but it may not scale as well for very large monorepos.
nx
Nx is a set of extensible dev tools for monorepos, which helps you develop like Google, Facebook, and Microsoft. It offers powerful integrations with modern frameworks and libraries. Compared to @microsoft/rush-lib, Nx provides more advanced features for code generation, testing, and CI/CD pipelines, making it a more comprehensive solution for modern web development.
FAQs
A library for writing scripts that interact with the Rush tool
We found that @microsoft/rush-lib demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 2 open source maintainers collaborating on the project.
Package last updated on 13 May 2025
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Related posts
Security News
Engineering with AI Podcast: The Promise of AI-First Development
Socket CTO Ahmad Nassri shares practical AI coding techniques, tools, and team workflows, plus what still feels noisy and why shipping remains human-led.
By Sarah Gooding - Dec 24, 2025
Research
/Security News
Spearphishing Campaign Abuses npm Registry to Target U.S. and Allied Manufacturing and Healthcare Organizations
A five-month operation turned 27 npm packages into durable hosting for browser-run lures that mimic document-sharing portals and Microsoft sign-in, targeting 25 organizations across manufacturing, industrial automation, plastics, and healthcare for credential theft.
By Nicholas Anderson, Kirill Boychenko - Dec 23, 2025