Research
Security News
Quasar RAT Disguised as an npm Package for Detecting Vulnerabilities in Ethereum Smart Contracts
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
@open-formulieren/design-tokens
Advanced tools
Open Forms projects follow the NL Design System. We organize the design tokens in JSON files and use them in downstream projects like the SDK and the Open Forms backend project.
Specify the design tokens in JSON files, which are picked up and merged using the style-dictionary library. The resulting packages include various build targets, such as ES6 modules, CSS variables files, SASS vars... to be consumed in downstream projects.
The draft Design Token Format drives the structure of these design tokens.
Using tokens
If you are only consuming the design tokens, the easiest integration path is adding the NPM package as dependency to your project:
npm install --save-dev @open-formulieren/design-tokens
Then, import the desired build target artifact and run your usual build chain.
Developing and using tokens
If you actively need to add or change design tokens, we recommend installing the package locally and
using npm workspaces or npm link
for the least-friction experience. For Open Forms specifically,
we include the package as a git-submodule and leverage npm workspaces with instructions in the
downstream projects.
This allows you to create atomic PRs with design token changes, while being able to develop against the newest changes.
Run:
npm start
to start the watcher which will re-build on changes.
Because of the way style-dictionary works, you have to pay close attention to the structure of the tokens. E.g. if you have two tokens definition files like:
{
"of": {
"color": {
"fg": {"value": "#000000"}
}
}
}
{
"of": {
"color": {
"fg": {
"muted": {"value": "#000000"}
}
}
}
}
Then only --of-color-fg
will be emitted since the merged object sees a value
key at the
of.color.fg
path.
You can usually avoid this by sticking to a structure adhering to:
<prefix>.<component>.<modifier>.<UIState>.<CSSProperty>
Where UIState
can be blank or a value like hover
, active
...
Alternatively, if the structure is not that important, you can put the tokens on the same level, e.g.:
{
"of": {
"color": {
"fg-muted": {"value": "#000000"}
}
}
}
The latter form is harder to keep track off across files though.
We don't let npm
apply the git tags when releasing a new version, instead follow this process:
npm version minor
git commit -am ":bookmark: Bump to version <newVersion>"
git tag "<newVersion>"
git push origin main --tags
If you have PGP keys set up, you can use them for the git tag operation.
The CI pipeline will then publish the new version to npmjs.
FAQs
Design tokens for Open Forms
We found that @open-formulieren/design-tokens demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 0 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
Security News
Research
A supply chain attack on Rspack's npm packages injected cryptomining malware, potentially impacting thousands of developers.
Research
Security News
Socket researchers discovered a malware campaign on npm delivering the Skuld infostealer via typosquatted packages, exposing sensitive data.