Research
Security News
Malicious npm Packages Inject SSH Backdoors via Typosquatted Libraries
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
@uppy/companion
Advanced tools
OAuth helper and remote fetcher for Uppy's (https://uppy.io) extensible file upload widget with support for drag&drop, resumable uploads, previews, restrictions, file processing/encoding, remote providers like Dropbox and Google Drive, S3 and more :dog:
Companion is a server integration for Uppy file uploader.
It handles the server-to-server communication between your server and file storage providers such as Google Drive, Dropbox, Instagram, etc. Companion is not a target to upload files to. For this, use a https://tus.io server (if you want resumable) or your existing Apache/Nginx server (if you don’t). See here for full documentation
npm install @uppy/companion
If you don’t have a Node.js project with a package.json
you might want to install/run Companion globally like so: [sudo] npm install -g @uppy/companion@1.x
(best check the actual latest version, and use that, so (re)installs are reproducible, and upgrades intentional).
companion may either be used as pluggable express app, which you plug to your existing server, or it may also be run as a standalone server:
import express from 'express'
import bodyParser from 'body-parser'
import session from 'express-session'
import companion from '@uppy/companion'
const app = express()
app.use(bodyParser.json())
app.use(session({ secret: 'some secrety secret' }))
// ...
// be sure to place this anywhere after app.use(bodyParser.json()) and app.use(session({...})
const options = {
providerOptions: {
drive: {
key: 'GOOGLE_KEY',
secret: 'GOOGLE_SECRET',
},
},
server: {
host: 'localhost:3020',
protocol: 'http',
},
filePath: '/path/to/folder/',
}
const { app: companionApp } = companion.app(options)
app.use(companionApp)
To enable companion socket for realtime feed to the client while upload is going on, you call the socket
method like so.
// ...
const server = app.listen(PORT)
companion.socket(server)
Please make sure that the required env variables are set before runnning/using companion as a standalone server. See.
$ companion
If you cloned the repo from GitHub and want to run it as a standalone server, you may also run the following command from within its directory
npm start
Companion can also be deployed to Heroku
mkdir uppy-companion && cd uppy-companion
git init
echo 'export COMPANION_PORT=$PORT' > .profile
echo 'node_modules' > .gitignore
echo '{
"name": "uppy-companion",
"version": "1.0.0",
"scripts": {
"start": "companion"
},
"dependencies": {
"@uppy/companion": "latest"
}
}' > package.json
npm i
git add . && git commit -am 'first commit'
heroku create
git push heroku master
Make sure you set the required environment variables.
FAQs
OAuth helper and remote fetcher for Uppy's (https://uppy.io) extensible file upload widget with support for drag&drop, resumable uploads, previews, restrictions, file processing/encoding, remote providers like Dropbox and Google Drive, S3 and more :dog:
The npm package @uppy/companion receives a total of 15,887 weekly downloads. As such, @uppy/companion popularity was classified as popular.
We found that @uppy/companion demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 5 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
Security News
MITRE's 2024 CWE Top 25 highlights critical software vulnerabilities like XSS, SQL Injection, and CSRF, reflecting shifts due to a refined ranking methodology.
Security News
In this segment of the Risky Business podcast, Feross Aboukhadijeh and Patrick Gray discuss the challenges of tracking malware discovered in open source softare.