Research
Security News
Malicious npm Packages Inject SSH Backdoors via Typosquatted Libraries
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
@rushstack/rush-sdk
Advanced tools
This is a companion package for the Rush tool. See the @microsoft/rush package for details.
⚠ THIS PACKAGE IS EXPERIMENTAL ⚠
The @rushstack/rush-sdk package acts as a lightweight proxy for accessing the APIs of the @microsoft/rush-lib engine. It is intended to support three different use cases:
Rush plugins should import from @rushstack/rush-sdk instead of @microsoft/rush-lib. This gives plugins full access to Rush APIs while avoiding a redundant installation of those packages. At runtime, the APIs will be bound to the correct rushVersion
from rush.json, and guaranteed to be the same @microsoft/rush-lib module instance as the plugin host.
When authoring unit tests for a Rush plugin, developers should add @microsoft/rush-lib to their package.json devDependencies
. In this context, @rushstack/rush-sdk will resolve to that instance for testing purposes.
(Not implemented yet) For scripts and tools that are designed to be used in a Rush monorepo, in the future @rushstack/rush-sdk will automatically invoke install-run-rush.js and load the local installation. This ensures that tools load a compatible version of the Rush engine for the given branch. Once this is implemented, @rushstack/rush-sdk can replace @microsoft/rush-lib entirely as the official API interface, with the latter serving as the underlying implementation.
The @rushstack/rush-sdk API declarations are identical to the corresponding version of @microsoft/rush-lib.
Rush is part of the Rush Stack family of projects.
FAQs
An API for interacting with the Rush engine
The npm package @rushstack/rush-sdk receives a total of 314,261 weekly downloads. As such, @rushstack/rush-sdk popularity was classified as popular.
We found that @rushstack/rush-sdk demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 0 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
Security News
MITRE's 2024 CWE Top 25 highlights critical software vulnerabilities like XSS, SQL Injection, and CSRF, reflecting shifts due to a refined ranking methodology.
Security News
In this segment of the Risky Business podcast, Feross Aboukhadijeh and Patrick Gray discuss the challenges of tracking malware discovered in open source softare.