Research
Security News
Kill Switch Hidden in npm Packages Typosquatting Chalk and Chokidar
Socket researchers found several malicious npm packages typosquatting Chalk and Chokidar, targeting Node.js developers with kill switches and data theft.
@rushstack/heft
Advanced tools
Heft is an extensible build system designed for use with the Rush Stack family of tools. You don't need a monorepo to use Heft, however. It also works well for small standalone projects. Compared to other similar systems, Heft has some unique design goals:
Scalable: Heft interfaces with the Rush build orchestrator, which is optimized for large monorepos with many people and projects. Heft doesn't require Rush, though.
Familiar: Heft is an everyday Node.js application -- developers don't need to install native prerequisites such as Python, MSYS2, or the .NET Framework. Heft's source code is easy to understand and debug because it's 100% TypeScript, the same programming language as your web projects. Developing for native targets is also possible, of course.
Polished and complete: Philosophically, Rush Stack aspires to provide a comprehensive solution for typical TypeScript projects. Pluggable task abstractions often work against this goal: It's expensive to optimize and support (and document!) every possible cocktail of tech choices. The best optimizations and integrations need to leverage assumptions about implementation details. Heft is pluggable. But our aim is to agree on a recommended toolkit that works well for a broad range of scenarios, then work together on the deep investments that will make it a great experience.
Extensible: Most projects require at least a few specialized tasks such as preprocessors, postprocessors, or loaders. Heft allows you to write your own plugins using the tapable hook system (familiar from Webpack). Compared to loose architectures such as Grunt or Gulp, Heft ships a standard set of build stages for custom tasks to hook into. Working from a standardized starting point makes it easier to get technical support for custom rigs.
Optimized: Heft tracks fine-grained performance metrics at each step. Although Heft is still in its early stages, the TypeScript plugin already implements sophisticated optimizations such as: filesystem caching, incremental compilation, symlinking of cache files to reduce copy times, hosting the compiler in a separate worker process, and a unified compiler pass for Jest and Webpack.
Professional: The Rush Stack projects are developed by and for engineers who ship major commercial services. Each feature is designed, discussed in the open, and thoughtfully code reviewed. Despite being a free community collaboration, this software is developed with the mindset that we'll be depending on it for many years to come.
Heft has not yet reached its 1.0 milestone, however the following tasks are already available:
webpack-dev-server
with watch modecopy-static-assets
helper supporting arbitrary globs, with "watch" modeFor more detailed documentation, please see the Heft topic on the Rush Stack website.
Heft is part of the Rush Stack family of projects.
FAQs
Build all your JavaScript projects the same way: A way that works.
The npm package @rushstack/heft receives a total of 11,190 weekly downloads. As such, @rushstack/heft popularity was classified as popular.
We found that @rushstack/heft demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 0 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket researchers found several malicious npm packages typosquatting Chalk and Chokidar, targeting Node.js developers with kill switches and data theft.
Security News
pnpm 10 blocks lifecycle scripts by default to improve security, addressing supply chain attack risks but sparking debate over compatibility and workflow changes.
Product
Socket now supports uv.lock files to ensure consistent, secure dependency resolution for Python projects and enhance supply chain security.