Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
@omlet/cli
Advanced tools
Omlet (https://omlet.dev) is a component analytics tool that uses a CLI to scan your codebase to detect components and their usage. Get real usage insights from customizable charts to measure adoption across all projects and identify opportunities to impr
Omlet (https://omlet.dev) is a component analytics tool that uses a CLI to scan your codebase to detect components and their usage. Get real usage insights from customizable charts to measure adoption across all projects and identify opportunities to improve your components.
To learn more about Omlet and how to use it check out our documentation.
$ npm i --save-dev @omlet/cli
npx omlet login
To start the component analysis, navigate to the root of the repo you wish to scan and run the Omlet CLI:
npx omlet init
Follow the link in the CLI to take you to the Omlet Web App at feta.omlet.dev and view your analytics dashboard. Check out our docs on how to get started with insights from Omlet: https://docs.omlet.dev/getting-started/getting-insights-with-omlet
If you have multiple respositories, you can scan them into the same Omlet workspace and it will automatically correlate components defined in one repo that are used in another. No duplicate components or double counting of usage!
To scan a new repo, add @omlet/cli
as a dependency like before and run:
npx omlet analyze
You might need to define a configuration file in your repository if:
If you require extra configuration, create a new files named .omletrc.js
at the root of your repository and follow the instructions in the Omlet docs.
Omlet supplies sensible default configurations to ignore certain files such as Storybook stories documentation or test files.
**/node_modules/**
**/*.d.ts
**/stories/**/*
**/.storybook/**/*
**/*.stories.{jsx,tsx,js,ts}
**/*.{spec,test}.{jsx,tsx,js,ts}
**/{__test__,tests}/**/*.{jsx,tsx,js,ts}
To exclude more glob patterns, add the "ignore"
array to your .omletrc.js
config:
{
"ignore": [
"**/test_folder/**",
"**/another_test_folder/**"
]
}
You can also pass a glob pattern to the --ignore
option in the analyze CLI command to filter out directories, files, or components you do not want to track. The --ignore
option can be passed in multiple times for multiple patterns, e.g.
--ignore 'glob/one/' --ignore 'glob/two/'
Omlet is a product developed and provided by Zeplin, Inc. which has SOC 2 Type II attestation. For Omlet, we implement the same security controls as the rest of the Zeplin ecosystem. For more details, please head to the Security page in the Omlet docs.
Omlet detects and tracks only the components that are defined and exported from JS/TS modules. Local components, which are components used within the same module that are not exported, are not surfaced in Omlet.
In the example below, only ExportedButton will be tracked and reported in Omlet because it is defined and exported. Button is a local component used only within the button.tsx module, so it is excluded from the scanned results.
function Button() {
...
}
export function ExportedButton() {
...
return <Button/>;
}
Omlet detects and counts the unique usage of each component. If a component is used multiple times within the same component, Omlet considers it as a single usage.
In the given example, there are multiple instances of ListItem
within ListView
but Omlet will count this as a single usage of ListItem
.
Using the same example below, Omlet will also recognize that ListView is using Button indirectly through a local component ListButton. However, ListButton will not appear in the results.
import Button from "./Button";
import ListItem from "./ListItem";
function ListButton() {
...
return <Button/>;
}
export function ListView() {
...
return (
<div>
<div><ListItem/></div>
...
<div><ListItem/></div>
<div><ListButton/></div>
</div>
);
}
Omlet never collects, stores or upload your code. The scanning process is always done locally using the Omlet CLI available for download via NPM. Only metadata is collected. As a user, you have full control over what code Omlet will scan by choosing which repository it should scan. You also have the option to limit scanning to certain files or directories.
Regarding metadata, Omlet collects:
For troubleshooting purposes, other metadata we collect are:
Omlet CLI has an option to generate the output locally which you can use to inspect the data. You can do this by running:
omlet analyze --dry-run
This will generate a local file omlet.out.json with the scanned output that is normally uploaded to Omlet's Web app. When using --dry-run, the results are never uploaded.
FAQs
Omlet (https://omlet.dev) is a component analytics tool that uses a CLI to scan your codebase to detect components and their usage. Get real usage insights from customizable charts to measure adoption across all projects and identify opportunities to impr
The npm package @omlet/cli receives a total of 5,108 weekly downloads. As such, @omlet/cli popularity was classified as popular.
We found that @omlet/cli demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 0 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.