
Research
/Security News
jscrambler npm Package Compromised in Supply Chain Attack
A compromised jscrambler npm release added a malicious preinstall hook that runs hidden native binaries on Linux, macOS, and Windows.
@sunmi/qiankun
Advanced tools
In Chinese traditional culture
qianmeans heaven andkunstands for earth, soqiankunis the universe.
An implementation of Micro Frontends, based on single-spa, but made it production-ready.
As we know what micro-frontends aims for:
Techniques, strategies and recipes for building a modern web app with multiple teams using different JavaScript frameworks. — Micro Frontends
Modularity is very important for large application. By breaking down a large system into individual sub-applications, we can achieve good divide-and-conquer between products and when necessary combination, especially for enterprise applications that usually involve multi-team collaboration. But if you're trying to implement such a micro frontends architecture system by yourself, you're likely to run into some tricky problems:
After solving these common problems of micro frontends, we extracted the kernel of our solution after a lot of internal online application testing and polishing, and then named it qiankun.
Probably the most complete micro-frontends solution you ever met🧐.
$ yarn add qiankun # or npm i qiankun -S
This repo contains an examples folder with a sample Shell app and multiple mounted Micro FE apps. To run this app, first clone qiankun:
$ git clone https://github.com/umijs/qiankun.git
$ cd qiankun
Now run the yarn scripts to install and run the examples project:
$ yarn install
$ yarn examples:install
$ yarn examples:start
Visit http://localhost:7099.

https://qiankun.umijs.org/faq/
https://qiankun.umijs.org/#community
FAQs
An completed implementation of Micro Frontends
The npm package @sunmi/qiankun receives a total of 6 weekly downloads. As such, @sunmi/qiankun popularity was classified as not popular.
We found that @sunmi/qiankun demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 2 open source maintainers collaborating on the project.
Did you know?

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Research
/Security News
A compromised jscrambler npm release added a malicious preinstall hook that runs hidden native binaries on Linux, macOS, and Windows.

Research
/Security News
A malicious .NET package is typosquatting the Braintree SDK to steal live payment card data, merchant API keys, and host secrets from production apps.

Security News
/Research
Compromised Injective SDK npm version 1.20.21 exfiltrates wallet private keys and mnemonics through fake telemetry functionality.