Research
Security News
Malicious npm Packages Inject SSH Backdoors via Typosquatted Libraries
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
@storyous/common-utils
Advanced tools
Prometheus middleware getHttpRequestMetricsMiddleware
is now deprecated, you should remove it, same metrics can be aggregated from getRequestDurationMetricsMiddleware
alone
Added loggly adapter. To use loggly you have to set silent:false
and loggly token via LOGGLY_TOKEN
env or directly in the config.
logger.module returns pure Winston child instance, rename logger calls: log.e -> log.error log.w -> log.warn log.i -> log.info
getMongoCacheFetcher is now async mongoCachedFetcher - supports remote ETag - expose ifNoneMatch - returns result object instead of direct file content
concurrentTask accepts options object as the second parameter allowing configure: noLaterThan, startAttemptsDelay
apiTestUtil becomes testUtils. New usage:
config/testing.config.json
const testUtils = require('@storyous/common-utils/src/testUtils');
module.exports = {
mongodbUrl: testUtils.uniqueDatabase(process.env.MONGODB_URI) // this will generate timestamp-postfixed database name
|| 'mongodb://127.0.0.1:27018/myProjectTesting',
// ...the rest of the config
};
test/api.js
const testUtils = require('@storyous/common-utils/src/testUtils');
const mocha = require('mocha');
const app = require('../app'); // this has to be a function providing Koa function
testUtils.init({ app, mocha });
module.exports = testUtils;
mongoClient
module (expects mongodbUrl
property in config). Preconfigured native mongodb driver's client.collection('myOrders')
.db
module - use collection
& mongoClient
instead.
collection
changed to getCollection
in version 14Error handler is direct function. Usage:
const { errorHandler } = require('@storyous/common-utils');
// ...
app.use(errorHandler);
collection('collectionName')
changed to
getCollection('collectionName')
To have human-readable logs and errors, add
logging: {
console: {
prettyOutput: true,
},
},
to development.config.js
Do NOT use anywhere else
Default mongoLocker()
function introduced. Use a prefix for the key when you want to use it in multiple places in the app. Example:
// tokenStorage.js
await mongoLocker('token-renewal-process', async () => {
// some async stuff
// ...
return 'myToken';
});
// payments.js - completely idempendent part of application
const transactionResult = await mongoLocker(`payment-transaction-${merchantId}`, async () => {
// some async stuff
// ...
return true;
});
Loggly network errors does not cause exit of all app anymore
mongoLocker
support 'expireIn' (millis) option which can be used to customize default 2 minutes acquisition.
The mongoLocker now also handles expired document waiting to be deleted by a MongoDB background job.
Secrets
now encrypt strings differently. Use encryptLegacy()
function to achieve old behaviour. decrypt()
function is compatible with legacy secrets automatically.
encrypt()
method now generates secrets compatible with implementation on Admin (PHP), and the updated decrypt()
function.
storyousAuthorizedFetch
- fetch for calling storyous services. It can obtain, cache and automatically refresh access token against the login service
// tokenStorage.js
const serviceResponse = await storyousAuthorizedFetch('https://api.storyous.com/delivery/somePath', {
// mandatory parameters
loginUrl: 'https://login.storyous.com',
clientId: 'abc',
clientSecret: 'def',
// general fetch options
method: 'POST',
// ...
});
Add option to squash multiple logs into one based on URL
app.use(log.basicLogMiddleware({ squashByUrls: ['/public/sodexo/restaurants'] }));
const collection = mongodb.collection('myCachedFiles');
const fetcher = await getMongoCachedJSOFetcher(collection, /* optional */ {
url: 'https://my.files.com/file1',
cacheLifetime: 60 * 1000, // 60 seconds
fetchOptions: { headers: { Authorization: 'myToken' } }, // options for remote fetch
transform: async (content, key) => content, // allows decorate the fetched content just before its storage
ensureIndexes: true, // it allow's more optimal cache manipulation
logError: (err) => console.error(err)
});
/* optional parameters */
const parameters = {
url: 'https://my.files.com/file2', // url of json content
key: 'file2', // key, under which will be the content cached, url is used by default
metaOnly: false, // boolean, if truthy the content is not returned, useful for finding cache freshness
ifNoneMatch: 'someOldEtag', // saying, we want to get content only if the current etag is not equal to the value
};
const {
content, // file content, null in case of etagMatch=true
isCacheFresh, // boolean saying the content is not after its lifetime
etag, // entity tag (version). If not null, it can be used in future fetcher calls as ifNoneMatch parameter
etagMatch // boolean, truthy if isNoneMatch parameter provided and corresponds with latest cached etag value
} = await fetcher(parameters /* optional */ );
MongoCachedFetcher automatically stores ETag
of remote resource if it is present in response from remote source.
The stored etag is then used for consequent cache-refresh http call to optimise traffic - no data are transferred
when the data didn't change. This functionality assumes the remote source of JSON data supports If-None-Match
request header
and ETag
response header.
On top of that, the fetcher accepts optional ifNoneMatch
parameter. If it is used, and its value matches currently stored (refreshed) etag value,
result object will not contain content
and the etagMatch
will be true
.
FAQs
Common utils for storyous microservices
The npm package @storyous/common-utils receives a total of 6 weekly downloads. As such, @storyous/common-utils popularity was classified as not popular.
We found that @storyous/common-utils demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 7 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
Security News
MITRE's 2024 CWE Top 25 highlights critical software vulnerabilities like XSS, SQL Injection, and CSRF, reflecting shifts due to a refined ranking methodology.
Security News
In this segment of the Risky Business podcast, Feross Aboukhadijeh and Patrick Gray discuss the challenges of tracking malware discovered in open source softare.