Research
Security News
Malicious npm Packages Inject SSH Backdoors via Typosquatted Libraries
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
@useoptic/optic
Advanced tools
Optic helps you ship a better API by making it easy for teams to use OpenAPI. Prevent breaking changes, publish accurate documentation and improve the design of your APIs.
Install
npm install -g @useoptic/optic
or
sh -c "$(curl -Ls https://install.useoptic.com/install.sh)"
optic diff
Optic can detect breaking changes between any two versions of an OpenAPI specification. Optic can lookup the versions using Git tags and branch names so you don't need to copy files around.
Compares the HEAD to the main
branch
optic diff openapi.yml --base main --check
Compares two branches by name
optic diff feature/example:openapi.yml develop:main --check
Compare files in against a remote URL
optic diff --check \
https://raw.githubusercontent.com/opticdev/bookstore-example/89c9a67935c850c1051059f4c719ef433dea8cc0/openapi.yml \
https://raw.githubusercontent.com/opticdev/bookstore-example/ac5f3c55a6f7f27c482a557563686d0328dafb55/openapi.yml
optic capture
It can be difficult to keep an OpenAPI in-sync with your implementation. Optic tests if your OpenAPI is accurate by capturing traffic from your tests and comparing it to the spec.
Think of it like Snapshot testing, but for your API's behavior, with OpenAPI as the snapshot.
git clone git@github.com:opticdev/examples.git
cd ./examples/apps/bookstore-api
npm install
Once you've set up the repo, you can run optic capture openapi.yml
to verify traffic against your OpenAPI spec, and optic capture openapi.yml --update=interactive
to update any diffs.
To start capturing your test traffic, run:
optic capture init openapi.yml
Configuration will be generated for you in the optic.yml
file
capture:
openapi.yml:
server:
command: npm start # your server start command
url: http://localhost:8080 # where your server starts
requests:
send:
- path: /
method: GET
- path: /users/create
method: POST
headers:
content-type: application/json;charset=UTF-8
data:
name: Hank
Then you can run:
optic capture openapi.yml
When Optic detects a diff, you can correct it manually, or run optic capture --update=interactive
to have Optic figures out exactly which lines of OpenAPI need to be updated and make the changes for you.
optic capture openapi.yml --update=interactive
optic diff
Optic is the first API linter built with the API lifecycle in-mind. When testing your API design, it always considers two versions of your API, for example: the version on the develop
vs the latest
release tag. This lets Optic check for all kinds of things Spectral (and other liners) misses like breaking changes and proper use of your API versioning scheme.
Because Optic understands API change, it can apply your latest API standards to new API endpoints, and a looser set of standards to legacy endpoints that can’t change. Teams like Snyk use Optic and this approach to govern all their APIs. With Optic, developers only get actionable feedback from the tool and they don’t have to turn rules off to get CI to pass.
Create an optic.yml
file in your repo and configure some of our built-in rules like using this template as a starting point:
ruleset:
# Prevent breaking changes
- breaking-changes:
# Pick an extension for your work-in-progress operations.
# Breaking changes wil lbe allowed here
exclude_operations_with_extension: x-draft
# Run any existing spectral ruleset
- spectral:
# These rules will ony run on things you add to your API
# Ie new properties, operations, responses, etc.
added:
# URLs are supported
- https://www.apistyleguides.dev/api/url-style-guides/3ba0b4a
# Local files work too.
# - ./local-file.js
# These rules will ony run on everything in the spec (normal spectral)
always:
- https://www.apistyleguides.dev/api/url-style-guides/3ba0b4a
# Enforce consistent cases in your API
- naming:
# This will apply the rule to only new names (existing ones will be exempted)
# Change to always if you want to fail on legacy names
# Change to addedOrChanged if you want it to run on added or changed parts of the spec
required_on: added
# Different names for different parts of the spec
# options = "snake_case" "camelCase" "Capital-Param-Case" "param-case" "PascalCase"
requestHeaders: Capital-Param-Case
responseHeaders: param-case
properties: Capital-Param-Case
pathComponents: param-case
queryParameters: snake_case
# Require your OpenAPI has examples, and that those examples match the schema
- examples:
# This will apply the rule to only new names (existing ones will be exempted)
# Change to always if you want to fail on legacy names
# Change to addedOrChanged if you want it to run on added or changed parts of the spec
required_on: added
# Turn on/off the parts of the spec that need examples
require_request_examples: true
require_response_examples: true
require_parameter_examples: true
# (optional) allow certain operations do not need examples
exclude_operations_with_extension: x-legacy-api
# Require documentation in your OpenAPI spec
- documentation:
# This will apply the rule to only new names (existing ones will be exempted)
# Change to always if you want to fail on legacy names
# Change to addedOrChanged if you want it to run on added or changed parts of the spec
required_on: added
require_property_descriptions: true
require_operation_summary: true
require_operation_description: true
require_operation_id: true
To start using Optic in CI, follow this guide. We provide template workflows for GitHub and GitLab to help you run Optic as a CI check:
# .github/workflows/optic.yml
name: optic
on:
pull_request:
push:
branches:
- "main"
jobs:
run:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v3
- name: Install Optic
run: npm install --location global @useoptic/optic
- name: Run Optic
env:
OPTIC_TOKEN: ${{ secrets.OPTIC_TOKEN }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: optic run
Don't forget to add the OPTIC_TOKEN
and OPTIC_GITLAB_TOKEN
variables to your workflow.
# .gitlab-ci.yml
optic-default-branch-push:
image: node:latest
rules:
- if: $CI_PIPELINE_SOURCE == "push" && OPTIC_TOKEN && $CI_COMMIT_REF_NAME == $CI_DEFAULT_BRANCH
script:
- npm install -g @useoptic/optic
- optic run
optic-merge-request:
image: node:latest
rules:
- if: $CI_PIPELINE_SOURCE == "merge_request_event" && $OPTIC_TOKEN
script:
- npm install -g @useoptic/optic
- export OPTIC_RESULT=0; optic run || export OPTIC_RESULT=$?
- if [ $OPTIC_RESULT -ne 0 ]; then exit 1; fi;
Optic is MIT Licensed
Optic collects telemetry which is used to help understand how to improve the product. For example, this usage data helps to debug issues and to prioritize features and improvements based on usage. The usage of our telemetry data falls under our privacy policy. While this information does help us build a great product, we understand that not everyone wants to share their usage data. If you would like to disable telemetry you can add an environment variable that will opt out of sending usage data:
OPTIC_TELEMETRY_LEVEL=off
- disables telemetry (both usage, and error reporting)
OPTIC_TELEMETRY_LEVEL=error
- disables telemetry (only usage data is sent)
FAQs
Unknown package
The npm package @useoptic/optic receives a total of 12,398 weekly downloads. As such, @useoptic/optic popularity was classified as popular.
We found that @useoptic/optic demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 4 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
Security News
MITRE's 2024 CWE Top 25 highlights critical software vulnerabilities like XSS, SQL Injection, and CSRF, reflecting shifts due to a refined ranking methodology.
Security News
In this segment of the Risky Business podcast, Feross Aboukhadijeh and Patrick Gray discuss the challenges of tracking malware discovered in open source softare.