Research
Security News
Kill Switch Hidden in npm Packages Typosquatting Chalk and Chokidar
Socket researchers found several malicious npm packages typosquatting Chalk and Chokidar, targeting Node.js developers with kill switches and data theft.
@rushstack/heft
Advanced tools
Build all your JavaScript projects the same way: A way that works.
Heft is a config-driven toolchain that invokes other popular tools such as TypeScript, ESLint, Jest, Webpack, and API Extractor. You can use it to build web applications, Node.js services, command-line tools, libraries, and more. Heft builds all your JavaScript projects the same way: A way that works.
Heft is typically launched by package.json commands such as "npm run build"
or "npm run test"
. It's designed
for use in a monorepo with potentially hundreds of projects, where the Rush orchestrator invokes
these commands separately in each project folder. In this situation, everything must execute as fast as possible.
Special purpose scripts become a headache to maintain, so it's better to replace them with a reusable engine that's
driven by config files. In a large repo, you'll want to minimize duplication of these config files across projects.
Ultimately, you'll want to define a small set of stereotypical project types
("rigs") to officially support, then discourage projects from
overriding the rig configuration. Being consistent ensures that any person can easily contribute to any project.
Heft is a ready-made implementation of all these concepts.
You don't need a monorepo to use Heft, however. It also works well for small standalone projects. Compared to other similar systems, Heft has some unique design goals:
Scalable: Heft interfaces with the Rush Stack family of tools, which are tailored for large monorepos with many people and projects. Heft doesn't require Rush, though.
Optimized: Heft tracks fine-grained performance metrics at each step. The TypeScript plugin implements sophisticated optimizations such as: filesystem caching, incremental compilation, simultaneous multi-target emit, and a unified compiler pass for Jest/Webpack/ESLint. JSON config files and plugin manifests enable fast querying of metadata without evaluating potentially inefficient script code.
Complete: Rush Stack aspires to establish a fully worked out solution for building typical TypeScript projects. Unopinionated task abstractions often work against this goal: It is expensive to optimize and support (and document!) every possible cocktail of tech choices. The best optimizations and integrations make deep assumptions about how tasks will interact. Although the Heft engine itself is very flexible, our philosophy is to agree on a standard approach that covers a broad range of scenarios, then invest in making the best possible experience for that approach.
Extensible: Most projects require at least a few specialized tasks such as preprocessors, postprocessors, or loaders. Heft is organized around plugins using the tapable hook system (familiar from Webpack). Strongly typed APIs make it easy to write your own plugins. Compared to loose architectures such as Grunt or Gulp, Heft's plugin-system is organized around explicit easy-to-read config files. Customizations generally will extend a standard rig rather than starting from scratch.
Familiar: Like Rush, Heft is a regular Node.js application -- developers don't need to install native prerequisites such as Python, MSYS2, or the .NET Framework. Heft's source code is easy to understand and debug because it's 100% TypeScript, the same programming language as your web projects. Developing for native targets is still possible, of course.
Professional: The Rush Stack projects are developed by and for engineers who ship large scale commercial apps. Each feature is designed, discussed in the open, and thoughtfully code reviewed. Breaking changes require us to migrate thousands of our own projects, so upgrades are relatively painless compared to typical Node.js tooling.
Heft has not yet reached its 1.0 milestone, however the following tasks are already available:
webpack-dev-server
with watch modecopy-static-assets
helper supporting arbitrary globs, with "watch" modeFor more detailed documentation, please see the Heft topic on the Rush Stack website.
Heft is part of the Rush Stack family of projects.
FAQs
Build all your JavaScript projects the same way: A way that works.
We found that @rushstack/heft demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 0 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket researchers found several malicious npm packages typosquatting Chalk and Chokidar, targeting Node.js developers with kill switches and data theft.
Security News
pnpm 10 blocks lifecycle scripts by default to improve security, addressing supply chain attack risks but sparking debate over compatibility and workflow changes.
Product
Socket now supports uv.lock files to ensure consistent, secure dependency resolution for Python projects and enhance supply chain security.