Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
@pnpm/hosted-git-info
Advanced tools
Provides metadata and conversions from repository urls for GitHub, Bitbucket and GitLab
This will let you identify and transform various git hosts URLs between protocols. It also can tell you what the URL is for the raw path for particular file for direct access without git.
var hostedGitInfo = require("hosted-git-info")
var info = hostedGitInfo.fromUrl("git@github.com:npm/hosted-git-info.git", opts)
/* info looks like:
{
type: "github",
domain: "github.com",
user: "npm",
project: "hosted-git-info"
}
*/
If the URL can't be matched with a git host, null
will be returned. We
can match git, ssh and https urls. Additionally, we can match ssh connect
strings (git@github.com:npm/hosted-git-info
) and shortcuts (eg,
github:npm/hosted-git-info
). GitHub specifically, is detected in the case
of a third, unprefixed, form: npm/hosted-git-info
.
If it does match, the returned object has properties of:
The major version will be bumped any time…
Implications:
.https()
to be a part of the contract. The contract is that it will
return a string that can be used to fetch the repo via HTTPS. But what
that string looks like, specifically, can change.git+
won't be prefixed on URLs.All of the methods take the same options as the fromUrl
factory. Options
provided to a method override those provided to the constructor.
Given the path of a file relative to the repository, returns a URL for
directly fetching it from the githost. If no committish was set then
master
will be used as the default.
For example hostedGitInfo.fromUrl("git@github.com:npm/hosted-git-info.git#v1.0.0").file("package.json")
would return https://raw.githubusercontent.com/npm/hosted-git-info/v1.0.0/package.json
eg, github:npm/hosted-git-info
eg, https://github.com/npm/hosted-git-info/tree/v1.2.0
,
https://github.com/npm/hosted-git-info/tree/v1.2.0/package.json
,
https://github.com/npm/hosted-git-info/tree/v1.2.0/REAMDE.md#supported-hosts
eg, https://github.com/npm/hosted-git-info/issues
eg, https://github.com/npm/hosted-git-info/tree/v1.2.0#readme
eg, git+https://github.com/npm/hosted-git-info.git
eg, git+ssh://git@github.com/npm/hosted-git-info.git
eg, git@github.com:npm/hosted-git-info.git
eg, npm/hosted-git-info
eg, https://github.com/npm/hosted-git-info/archive/v1.2.0.tar.gz
Returns the default output type. The default output type is based on the string you passed in to be parsed
Uses the getDefaultRepresentation to call one of the other methods to get a URL for
this resource. As such hostedGitInfo.fromUrl(url).toString()
will give
you a normalized version of the URL that still uses the same protocol.
Shortcuts will still be returned as shortcuts, but the special case github
form of org/project
will be normalized to github:org/project
.
SSH connect strings will be normalized into git+ssh
URLs.
Currently this supports GitHub, Bitbucket and GitLab. Pull requests for additional hosts welcome.
FAQs
Provides metadata and conversions from repository urls for GitHub, Bitbucket and GitLab
The npm package @pnpm/hosted-git-info receives a total of 13,703 weekly downloads. As such, @pnpm/hosted-git-info popularity was classified as popular.
We found that @pnpm/hosted-git-info demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 2 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.