Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
@opticss/code-style
Advanced tools
css-blocks
and OptiCSS
This project adheres to the following conventions for code and its style. These conventions govern the code that runs during build-time. There are separate conventions for code intended to run in the browser.
Starting with Node 8, css-blocks
, OptiCSS
and related projects will
support all Active LTS releases of Node. Once a node version
moves into "Maintenance LTS" we reserve the right to drop support for it with
the next
minor release. Our projects are configured to set the node engine
version
in their package.json
, so such releases will not regress for projects using
older versions of node — but bug fixes and new features may not be
released.
The exception to this is that critical security patches will be released for versions of our software to support projects using Node that remains in the Maintenance LTS mode.
Specific Lint rules ran are not covered here. The source of truth is found in the configuration files below. Not all code style can be linted, here's what else you need to know:
yarn test
for every node package.for ... of
loops for iteration.forEach
should only be used to apply an existing function to values
in an array. Never use a local function with forEach
.for ... of
loops.any
. There are very few times it's necessary. We use
the type whatever
from @opticss/util
to express very generic
values without introducing the infectious semantics of any
.
Exceptions:
Test code is linted like source code. Exceptions and Additions to those rules are listed here:
ts-mocha
, chai
for assertions.This project recommends the use of Visual Studio Code and includes configuration for integration with it to enhance the IDE experience with the tooling choices of the project and makes things like interactive debugging work easily while running the tests.
configs/tslint.interactive.json
- These
lints affect the way code is written and usually can't be fixed
automatically. They are well-suited to be ran interactively while you
develop. If you use VSCode, our provided configuration files will
automatically be set up to run only these lints while you're writing code.configs/tslint.cli.json
- Lints that are best to run
from the CLI after tests pass or before commit. Usually these can be fixed
automatically by running lerna run lintfix
. Automated fixers aren't
perfect, so we recommend running the code after staging a commit so you can
see what it did by running a git diff
or with git add -p
. When you run
yarn test
on a package or lerna run test
on the repo, these lints will
be used. This lint configuration file inherits from tslint.interactive.json
.configs/tslint.release.json
- These lints perform
sanity checks against code that is about to be released or checked in.
These lints would be annoying under normal development workflows and so
they're not included. This lint configuration file inherits from tslint.interactive.json
.
and rule customization for test code. This configuration does not extend
any other configuration files. It is meant to be combined with the others
for tests.FAQs
Configuration and tools to manage the code style of css-blocks.
We found that @opticss/code-style demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 2 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.