Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
@travetto/manifest
Advanced tools
Install: @travetto/manifest
npm install @travetto/manifest
# or
yarn add @travetto/manifest
This module aims to be the boundary between the file system and the code. The module provides:
The project manifest fulfills two main goals: Compile-time Support, and Runtime Knowledge of the project.
During the compilation process, the compiler needs to know every file that is eligible for compilation, when the file was last created/modified, and any specific patterns for interacting with a given file (e.g. transformers vs. testing code vs. support files that happen to share a common extension with code).
Additionally, once the code has been compiled (or even bundled after that), the executing process needs to know what files are available for loading, and any patterns necessary for knowing which files to load versus which ones to ignore. This allows for dynamic loading of modules/files without knowledge/access to the file system, and in a more performant manner.
During the compilation process, it is helpful to know how the output content differs from the manifest, which is produced from the source input. The ManifestDeltaUtil provides the functionality for a given manifest, and will produce a stream of changes grouped by module. This is the primary input into the Compiler's incremental behavior to know when a file has changed and needs to be recompiled.
For the framework to work properly, metadata needs to be collected about files, classes and functions to uniquely identify them, with support for detecting changes during live reloads. To achieve this, every class
is decorated with an additional field of Ⲑid
. Ⲑid
represents a computed id that is tied to the file/class combination.
Ⲑid
is used heavily throughout the framework for determining which classes are owned by the framework, and being able to lookup the needed data from the RootIndex using the getFunctionMetadata
method.
Code: Test Class
export class TestClass {
async doStuff(): Promise<void> { }
}
Code: Test Class Compiled
"use strict";
Object.defineProperty(exports, "__esModule", { value: true });
exports.TestClass = void 0;
const tslib_1 = require("tslib");
const Ⲑ_root_index_1 = tslib_1.__importStar(require("@travetto/manifest/src/root-index.js"));
var ᚕf = "@travetto/manifest/doc/test-class.js";
class TestClass {
static Ⲑinit = Ⲑ_root_index_1.RootIndex.registerFunction(TestClass, ᚕf, 197152026, { doStuff: { hash: 51337554 } }, false, false);
async doStuff() { }
}
exports.TestClass = TestClass;
Terminal: Index Lookup at Runtime
$ trv main ./doc/lookup.ts
{
id: '@travetto/manifest:doc/test-class○TestClass',
source: './doc/test-class.ts',
hash: 197152026,
methods: { doStuff: { hash: 51337554 } },
abstract: false,
synthetic: false
}
Once the manifest is created, the application runtime can now read this manifest, which allows for influencing runtime behavior. The most common patterns include:
By default, all paths within the framework are assumed to be in a POSIX style, and all input paths are converted to the POSIX style. This works appropriately within a Unix and a Windows environment. This module offers up path as an equivalent to Node's http library. This allows for consistent behavior across all file-interactions, and also allows for easy analysis if Node's http library is ever imported.
Code: Manifest for @travetto/manifest
{
"generated": 1868155200000,
"workspacePath": "<generated>",
"monoRepo": true,
"packageManager": "npm",
"moduleType": "commonjs",
"outputFolder": ".trv/output",
"toolFolder": ".trv/tool",
"compilerFolder": ".trv/compiler",
"compilerUrl": "http://127.0.0.1:26803",
"frameworkVersion": "x.x.x",
"mainModule": "@travetto/manifest",
"mainFolder": "module/manifest",
"version": "x.x.x",
"description": "Support for project indexing, manifesting, along with file watching",
"modules": {
"@travetto/manifest": {
"main": true,
"name": "@travetto/manifest",
"version": "x.x.x",
"local": true,
"internal": false,
"sourceFolder": "module/manifest",
"outputFolder": "node_modules/@travetto/manifest",
"roles": [ "std" ],
"parents": [],
"prod": true,
"files": {
"$root": [
[ "DOC.html", "unknown", 1868155200000 ],
[ "LICENSE", "unknown", 1868155200000 ],
[ "README.md", "md", 1868155200000 ]
],
"doc": [
[ "DOC.tsx", "ts", 1868155200000, "doc" ],
[ "doc/lookup.ts", "ts", 1868155200000, "doc" ],
[ "doc/test-class.ts", "ts", 1868155200000, "doc" ]
],
"$index": [
[ "__index__.ts", "ts", 1868155200000 ]
],
"$package": [
[ "package.json", "package-json", 1868155200000 ]
],
"test": [
[ "test/path.ts", "ts", 1868155200000, "test" ],
[ "test/root-index.ts", "ts", 1868155200000, "test" ]
],
"test/fixtures": [
[ "test/fixtures/simple.ts", "fixture", 1868155200000, "test" ]
],
"$transformer": [
[ "support/transformer.function-metadata.ts", "ts", 1868155200000, "compile" ]
],
"src": [
[ "src/delta.ts", "ts", 1868155200000 ],
[ "src/dependencies.ts", "ts", 1868155200000 ],
[ "src/file.ts", "ts", 1868155200000 ],
[ "src/manifest-index.ts", "ts", 1868155200000 ],
[ "src/module.ts", "ts", 1868155200000 ],
[ "src/package.ts", "ts", 1868155200000 ],
[ "src/path.ts", "ts", 1868155200000 ],
[ "src/root-index.ts", "ts", 1868155200000 ],
[ "src/types.ts", "ts", 1868155200000 ],
[ "src/typings.d.ts", "typings", 1868155200000 ],
[ "src/util.ts", "ts", 1868155200000 ]
],
"bin": [
[ "bin/context.d.ts", "typings", 1868155200000 ],
[ "bin/context.js", "js", 1868155200000 ]
]
}
}
}
}
The general context describes the project-space and any important information for how to build/execute the code.
The context contains:
commonjs
(CommonJS) or module
(Ecmascript Module).trv_output
. (Can be overridden in your Package JSON in 'travetto.outputFolder').trv_compiler
.trv_output
The modules represent all of the Travetto-aware dependencies (including dev dependencies) used for compiling, testing and executing. A prod-only version is produced when packaging the final output. Each module contains:
The module files are a simple categorization of files into a predetermined set of folders:
$root
- All uncategorized files at the module root$index
- __index__.ts
, index.ts
files at the root of the project$package
- The Package JSON for the projectsrc
- Code that should be automatically loaded at runtime. All .ts files under the src/
foldertest
- Code that contains test files. All .ts files under the test/
foldertest/fixtures
- Test resource files, pertains to the main module only. Located under test/fixtures/
resources
- Packaged resource, meant to pertain to the main module only. Files, under resources/
support
- All .ts files under the support/
foldersupport/resources
- Packaged resource files, meant to be included by other modules, under support/resources/
support/fixtures
- Test resources meant to shared across modules. Under support/fixtures/
doc
- Documentation files. DOC.tsx
and All .ts/.tsx files under the doc/
folder$transformer
- All .ts files under the pattern support/transform*
. These are used during compilation and never at runtimebin
- Entry point .js files. All .js files under the bin/
folder
Within each file there is a pattern of either a 3 or 4 element array:Code: Sample file
[
"test/path.ts", // The module relative source path
"ts", // The file type ts, js, package-json, typings, md, json, unknown
1676751649201.1897, // Stat timestamp
"test" // Optional profile
]
FAQs
Support for project indexing, manifesting, along with file watching
The npm package @travetto/manifest receives a total of 61 weekly downloads. As such, @travetto/manifest popularity was classified as not popular.
We found that @travetto/manifest demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 0 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.