Research
Security News
Threat Actor Exposes Playbook for Exploiting npm to Build Blockchain-Powered Botnets
A threat actor's playbook for exploiting the npm ecosystem was exposed on the dark web, detailing how to build a blockchain-powered botnet.
@pika/pack
Advanced tools
@pika/pack • npm package building, reimagined.
Getting started is easy:
// 1. Install it!
$ npm install -g @pika/pack
// 2. Add this to your package.json manifest:
"@pika/pack": {
"pipeline": []
}
// 3. Run it!
$ pack build
So now what? If you run pack build
with an empty pipeline, you'll get an empty package build. @pika/pack lets you connect pre-configured plugins to build and optimize your package for you. Plugins wrap already-popular tools like Babel and Rollup with npm-optimized config options, removing the need to fiddle with much (if any) configuration yourself. You even get a generated package.json manifest configured for you automatically.
// Before: Your top-level package.json manifest:
{
"name": "simple-package",
"version": "1.0.0",
"@pika/pack": {
"pipeline": [
["@pika/plugin-standard-pkg", {"exclude": ["__tests__/*"]}],
["@pika/plugin-build-node"],
["@pika/plugin-build-web"],
["@pika/plugin-build-types"]
]
}
}
Builders are simple, single-purpose build plugins defined in your package.json
. For example, @pika/plugin-build-node
& @pika/plugin-build-web
build your package for those different environments. Other, more interesting builders can bundle your web build for unpkg, generate TypeScript definitions from your JavaScript, addon a standard CLI wrapper for Node.js builds, and even compile non-JS languages to WASM (with JS bindings added).
// After: your built "pkg/" package.json manifest:
{
"name": "simple-package",
"version": "1.0.0",
// Multiple distributions, built & configured automatically:
"esnext": "dist-src/index.js",
"main": "dist-node/index.js",
"module": "dist-web/index.js",
"types": "dist-types/index.d.ts",
// With sensible package defaults:
"sideEffects": false,
"files": ["dist-*/", "assets/", "bin/"]
}
This is all possible because @pika/pack builds your entire package: code, assets, and even package.json manifest. By building the entire package, you end up with a fully-built pkg/
directory, ready to publish. Entry points like "main", "module", "umd:main", "types", "unpkg", "files", and even advanced options like "sideEffects" are all handled by your build pipeline.
NOTE: Include a source builder early in your pipeline. Source builders take your modern source code (ESNext, TS, etc.) and compile it to standard, ES2018 JavaScript. Other builders will then use this standardized build to base their own work off of.
@pika/plugin-standard-pkg
: Compiles JavaScript/TypeScript to ES2018. Supports personalized, top-level .babelrc
plugins/config.@pika/plugin-ts-standard-pkg
: Compiles TypeScript to ES2018 (Uses tsc
internally instead of Babel, and builds type definitions automatically).@pika/plugin-source-bucklescript
: Builds ES2018 JavaScript from ReasonML or OCaml via BuckleScript.@pika/plugin-build-deno
: Builds a distribution that runs on Deno (TS projects only).@pika/plugin-build-node
: Builds a distribution that runs on Node LTS (v6+).@pika/plugin-build-types
: Builds TypeScript definitions from your TS, or automatically generate them from your JS. Not required if you use @pika/plugin-ts-standard-pkg
.@pika/plugin-build-web
: Builds an ESM distribution optimized for browsers & bundlers.@pika/plugin-wasm-assemblyscript
: Builds WASM from TypeScript using AssemblyScript.@pika/plugin-wasm-emscripten
: Builds WASM from C/C++ using Emscripten (Coming Soon).@pika/plugin-wasm-bindings
: Builds a simple JS wrapper for any WASM build.@pika/plugin-bundle-node
: Creates a Node.js build with all code (including dependencies) bundled into a single file. Useful for CLIs.@pika/plugin-bundle-web
: Creates a ESM build with all code (including dependencies) bundled. Useful for unpkg & serving code directly to browsers.@pika/plugin-simple-bin
: Generates & configures a CLI wrapper to run your library from the command line.See a full list of official builders here →
@ryaninvents/plugin-bundle-zip-node
: Plugin for @pika/pack to zip built files for Node.js.@ryaninvents/plugin-bundle-dependencies
: Plugin for @pika/pack to zip your package's dependencies.@ryaninvents/plugin-bundle-nextjs
: Plugin for @pika/pack to package a Next.js app for AWS Lambda.pika-plugin-minify
: A @pika/pack build plugin. Minifies your index.js files in /pkg/* using terser.publish
We've brought our favorite parts of np (a self-described "better npm publish") into @pika/pack. With the publish
command there's no need to worry about how to publish your package once you've built it.
Run pack publish
in your project and @pika/pack will walk you through version bumping, tagging your release, generating a fresh build, and finally publishing your package.
FAQs
package building, reimagined.
We found that @pika/pack demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
A threat actor's playbook for exploiting the npm ecosystem was exposed on the dark web, detailing how to build a blockchain-powered botnet.
Security News
NVD’s backlog surpasses 20,000 CVEs as analysis slows and NIST announces new system updates to address ongoing delays.
Security News
Research
A malicious npm package disguised as a WhatsApp client is exploiting authentication flows with a remote kill switch to exfiltrate data and destroy files.