Security News
New Python Packaging Proposal Aims to Solve Phantom Dependency Problem with SBOMs
PEP 770 proposes adding SBOM support to Python packages to improve transparency and catch hidden non-Python dependencies that security tools often miss.
@untool/core
Advanced tools
@untool/core
@untool/core
is the functional foundation every other untool
component is built upon. It contains a comprehensive configuration engine and a mixin base class.
$ yarn add @untool/core # OR npm install @untool/core
Apart from a couple of very basic properties (name
, version
and rootDir
), @untool/core
does not provide configuration of its own. It does, however, provide an elaborate configuration mechanism.
It allows you to set up mixins and pull in presets. Mixins provide extra functionality. Presets provide configuration defaults and often additionally include custom mixins. Read more about mixins and presets below.
{
"mixins": ["@untool/yargs"],
"presets": ["@untool/express"]
}
@untool/core
comes with support for environment specific configuration. For example, @untool/express
uses this placeholder based mechanism to bind the server port to the value of an environment variable.
{
"port": "[PORT]"
}
Now if you start your app in an environment in which the corresponding variable is defined, it will be picked up at runtime. To streamline development workflows, @untool/core
comes with built-in support for dotenv
.
$ PORT=12345 un start
There is another kind of placeholders. It can be used to reference other configuration values. Nested structures will be flattened before being used for placeholder substitution.
{
"foo": "foo",
"bar": {
"baz": "<foo>"
},
"qux": "<bar.baz>"
}
@untool/core
looks for configuration data in a couple of places. It only uses the first config it finds, so make sure you do not have multiple configs lying around:
untool
property in your project's package.json
file.untoolrc
file in your project's root folder (JSON, YAML, or JS).untoolrc.{json,yaml,yml,js}
file in your project's root folderuntool.config.js
file in your project's root folderWe strongly encourage organizing and publishing reusable bits of configuration as custom presets. You can even use any other untool
project as a preset: just install it (e.g. yarn add <git remote url>
) and add it to the presets
section in your project's untool
configuration.
untool
presets are JavaScript files or standard NPM modules. Presets can define or override arbitrary configuration properties, including mixins and other presets.
Just as with your own project, presets can be written using JavaScript, JSON or YAML syntax. They are plain nested objects (or hashes) and they fully support the features outlined above: placeholders and environment specificity.
module.exports = {
foo: 'bar',
baz: {
quux: [23],
},
};
{
"foo": "bar",
"baz": {
"quux": [23]
}
}
foo: bar
baz:
quux:
- 23
In preset packages, @untool/core
will try to load a config from the same places as in your project and in addition, it will look in two more places:
preset
property in the preset's package.json
filepreset.js
file in the preset package's root folderIf you want to not only override and extend config values, but rather provide actual features, you can include custom mixins directly in your preset. Some of untool
's default presets do just that.
Mixins are the primary mechanism in untool
to extend and alter its features and behaviour. Using mixins, you can, for example, add your own Yargs commands, Express middlewares or React add-ons such as Redux.
You can even build custom mixins that provide hooks for others to tap into, extending and altering their capabilities. There are three distinct types of mixins that are supported in untool
: core
, browser
and server
.
untool
uses a single config key for all three kinds of mixins: mixins
. It expects an array of module path strings. @untool/core
looks for mixins in the following places beneath those module paths:
mixin:{core,server,browser}
property in the preset's package.json
filemixin:runtime
property in the preset's package.json
file (for server
+browser
)mixin
property in the preset's package.json
file (for core
+server
+browser
)mixin.{core,server,browser}.js
file in the preset package's root foldermixin.runtime.js
file in the preset package's root folder (for server
+browser
)mixin.js
file in the preset package's root folder (for core
+server
+browser
)By using this mechanism, you can use a single NPM module to provide all three types of mixins, one mixin each for build and runtime or even a single mixin used for all contexts.
Every and all functionality in and around untool
is expected to be organized in mixins. In untool
, mixins are a bit special: they do not share state, i.e. they do not provide methods to a single 'host' object.
Instead, they are based on a library called mixinable
. Their methods are, therefore, applied according to specific strategies: override
, parallel
, sequence
, and pipe
are some examples.
If you create custom mixins that define additional mixin strategies, you probably want to call the appropriate methods yourself to allow others to, for example, modify your mixin's specific config.
Mixin(config, options)
import { Mixin } from '@untool/core';
class MyMixin extends Mixin {
myMethod() {}
}
export default MyMixin;
Mixin
is a base class to build custom mixins upon. As such, it only provides a class constructor that accepts and handles a couple of arguments. You do not, however, usually instantiate your mixins - @untool/core
does that for you if configured to use them.
The Mixin
constructor expects two arguments: config
, the main configuration object, and options
, an object containing more ephemeral settings. These arguments are made available as a homonymous instance properties.
import { override } from 'mixinable';
import { Mixin } from '@untool/core';
class MyMixin extends Mixin {
constructor(config, options) {
super(config, options);
}
myMethod(...args) {
return this.myHookMethod(...args);
}
}
MyMixin.strategies = {
myHookMethod: override,
};
export default MyMixin;
If inheriting from Mixin
, all mixinable methods of your mixin are automatically bound to the respective instance, so you do not have to call method.bind()
yourself even if you use them in asynchronous contexts.
While it is technically possible to define non-mixin utility methods on your mixin, doing so is strongly discouraged. If you have to, however, it is recommended to prefix such methods' names with an underscore (_
) to denote them as private.
Note that you can call all defined mixinable methods directly on your mixin instance.
initialize([configOverrides], [options])
This is a semi-private function that is mainly being used internally, for example by @untool/yargs
. It returns the core mixin container - this allows you to call all defined mixin methods.
You will only ever have to call it if you want to use @untool/core
programmatically. You can pass it an configOverrides
object that will be merged into the main config object, and and options object mixins might use instead of CLI arguments.
FAQs
untool core
We found that @untool/core demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 5 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
PEP 770 proposes adding SBOM support to Python packages to improve transparency and catch hidden non-Python dependencies that security tools often miss.
Security News
Socket CEO Feross Aboukhadijeh discusses open source security challenges, including zero-day attacks and supply chain risks, on the Cyber Security Council podcast.
Security News
Research
Socket researchers uncover how threat actors weaponize Out-of-Band Application Security Testing (OAST) techniques across the npm, PyPI, and RubyGems ecosystems to exfiltrate sensitive data.