
Research
/Security News
jscrambler npm Package Compromised in Supply Chain Attack
A compromised jscrambler npm release added a malicious preinstall hook that runs hidden native binaries on Linux, macOS, and Windows.
@pafa/release
Advanced tools
Paf Release is a tool used for publishing all packages, generating change logs, and checking commit messages, relying on pnpm.
pnpm add @pafa/release -D
# Release all packages and generate changelogs
npx vr release
# Specify remote name
npx vr release -r TODO paf-release
# or
npx vr release --remote TODO paf-release
# Just generate changelogs
npx vr changelog
# Specify changelog filename
npx vr changelog -f changelog.md
# or
npx vr changelog --file changelog.md
# Lint commit message
npx vr lint-commit -p .git/COMMIT_EDITMSG
# Publish to npm, which can be called in the ci environment
npx vr publish
| Params | Instructions |
|---|---|
| -r --remote <remote> | Specify remote name |
| -s --skip-npm-publish | Skip npm publish |
| -c --check-remote-version | Check if the remote version of the npm package is the same as the one you want to publish locally, if so, stop execution. |
| -sc --skip-changelog | Skip generate changelog |
| -sgt --skip-git-tag | Skip git tag |
| -nt --npm-tag <npmTag> | npm tag |
| Params | Instructions |
|---|---|
| -f --file <filename> | Specify changelog filename |
| --releaseCount <releaseCount> | Release count |
| Params | Instructions |
|---|---|
| -p --commitMessagePath <path> | The path of the temporary file to which the git message is submitted. The git hook commit-msg will pass this parameter |
| -r --commitMessageRe <reg> | Validate the regular of whether the commit message passes |
| -e --errorMessage <message> | Validation failed to display error messages |
| -w --warningMessage <message> | Validation failed to display warning messages |
| Params | Instructions |
|---|---|
| -c --check-remote-version | Detects whether the remote version of the npm package is the same as the package version to be published locally, and if it is, skip the release |
| -nt --npm-tag <npmTag> | npm tag |
import { release, changelog } from '@pafa/release'
// Do what you want to do...
release()
You can pass in a task that will be called before the publish after the package version is changed.
import { release, changelog } from '@pafa/release'
async function task() {
await doSomething1()
await doSomething2()
}
release({ task })
interface PublishCommandOptions {
preRelease?: boolean
checkRemoteVersion?: boolean
npmTag?: string
}
function publish({ preRelease, checkRemoteVersion, npmTag }: PublishCommandOptions): Promise<void>
function updateVersion(version: string): void
interface ReleaseCommandOptions {
remote?: string
skipNpmPublish?: boolean
skipChangelog?: boolean
skipGitTag?: boolean
npmTag?: string
task?(newVersion: string, oldVersion: string): Promise<void>
}
function release(options: ReleaseCommandOptions): Promise<void>
interface ChangelogCommandOptions {
file?: string
releaseCount?: number
}
function changelog({ releaseCount, file }?: ChangelogCommandOptions): Promise<void>
const COMMIT_MESSAGE_RE: RegExp
function isVersionCommitMessage(message: string): string | false | null
function getCommitMessage(commitMessagePath: string): string
interface CommitLintCommandOptions {
commitMessagePath: string
commitMessageRe?: string | RegExp
errorMessage?: string
warningMessage?: string
}
function commitLint(options: CommitLintCommandOptions): void
[MIT](TODO release/blob/main/LICENCE)
FAQs
release all packages and generate changelogs
The npm package @pafa/release receives a total of 8 weekly downloads. As such, @pafa/release popularity was classified as not popular.
We found that @pafa/release demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Research
/Security News
A compromised jscrambler npm release added a malicious preinstall hook that runs hidden native binaries on Linux, macOS, and Windows.

Research
/Security News
A malicious .NET package is typosquatting the Braintree SDK to steal live payment card data, merchant API keys, and host secrets from production apps.

Security News
/Research
Compromised Injective SDK npm version 1.20.21 exfiltrates wallet private keys and mnemonics through fake telemetry functionality.