Security News
tea.xyz Spam Plagues npm and RubyGems Package Registries
Tea.xyz, a crypto project aimed at rewarding open source contributions, is once again facing backlash due to an influx of spam packages flooding public package registries.
all-stars
Advanced tools
Readme
All-star lineup of Node-based FOSS contributors
all-stars is meant to be a lightweight data module containing pre-fetched author info for the maintainers of the top depended Node packages on npm.
Inspired by credits, all-stars was created to recognize some of the most prolific authors of Node-based FOSS, to honor them for the awesome work they've done that benefits us all.
One of the problems of giving credit where it is due is that any individual author may be known by several names. Sometimes authors change usernames or email addresses. Sometimes they use their real name, sometimes not. all-stars is designed to address this problem, combining pre-fetched, cross-referenced data with a simple API to resolve many possible identifiers to a known author.
all-stars can resolve any of the following to a known author with a single method:
If an author is resolved, an object representing that author is returned, containing the following information:
Hopefully this can help normalize arbitrary string-based ids into a more usable structure (and reduce duplicates in credits).
Note that the data in this module was fetched from public resources that are freely available, but it could possibly be used for ill intent. Please be respectful and DBAD! Thanks.
npm install --save all-stars
var allStars = require('all-stars')
var rvagg = allStars('Rod Vagg')
console.log(rvagg.toString())
//=> Rod Vagg <r@va.gg> (npm: rvagg, GitHub: rvagg, Twitter: rvagg)
var othiym23 = allStars('ogd@aoaioxxysz.net')
console.log(othiym23.summary())
//=> Forrest L Norvell <forrest@npmjs.com>
var substack = allStars('substack')
console.log(substack.emails)
//=> [ 'mail@substack.net', 'substack@gmail.com' ]
var jongleberry = allStars('jongleberry')
console.log(jongleberry.npmUsers)
//=> [ 'jongleberry', 'jonathanong' ]
var tj = allStars('tjholowaychuk')
console.log(tj.githubUsers)
//=> [ 'tj' ]
var bcoe = allStars('Benjamin E. Coe')
console.log(bcoe.names)
//=> [ 'Benjamin Coe', 'Ben Coe', 'Benjamin E. Coe' ]
var sindre = allStars('sindresorhus@gmail.com')
console.log(sindre.twitters)
//=> [ 'sindresorhus' ]
Iterates over elements and returns first match.
var indutny = allStars([ 'Fedor', 'fedor.indutny@gmail.com' ])
console.log('%s', indutny)
//=> Fedor Indutny <fedor@indutny.com> (npm: indutny, GitHub: indutny, Twitter: indutny)
Iterates over object property values and returns first match.
var domenic = allStars({ name: 'Domenic', email: 'd@domenic.me' })
console.log(domenic.summary())
//=> Domenic Denicola <domenic@domenicdenicola.com>
Synchronously resolve query to an individual author, if known.
allStars.AllStar
object or null
query
: string|array|object, identifier(s) to resolveObject returned from allStars()
method. Contains the following:
email
: string (may be null), first email address from emails arrayemails
: array of strings (may be null), all known email addressesgithubUser
: string (may be null), first GitHub username from arraygithubUsers
: array of strings (may be null), all known GitHub usernamesid
: string, identifying key of this author, typically the preferred npm usernamename
: string (may be null), first name from names arraynames
: array of strings (may be null), all known namesnpmUser
: string (may be null), first npm username from arraynpmUsers
: array of strings (may be null), all known npm usernamessubset
: function, returns an object as a subset of this object.
Useful for assigning or merging with another object. The subset object contains:
name
: string or null, same as name
email
: string or null, same as email
npm
: string or null, same as npmUser
github
: string or null, same as githubUser
twitter
: string or null, same as twitter
summary([all])
: function, returns first value from each array, concatenated as string
all
: boolean, true
if you want all fields, false
if you just want name and emailtoString()
: function, alias for summary(true)
twitter
: string (may be null), first Twitter handle from arraytwitters
: array of strings (may be null), all known Twitter handlesThe git repository contains CLI tools for fetching and generating the static data that is packaged within this module. The approach was intended to be as objective as possible, though some guidance for accurate cross-referencing or gap-filling proved necessary. Here's the basic process:
Fetch top depended packages, scraped from npm's website
Executed via cli/genPackages.js
. Number of packages to fetch is configurable
but defaults to 150.
Package list is written to generated/packages_YYYYMMDD_HHmmss.json
, which
can be copied to packages.json
.
Fetch author info for a given set of packages
Executed via cli/genAuthors.js
. Package list to fetch authors for is
configurable but defaults to the most recent generated packages json file.
Attempts to collect names, emails, and usernames from the following locations:
Package maintainer info, pulled from registry.npmjs.org
Curated set of aliases from this module's source code (aliases.json
)
npm user profile, scraped from npm's site
GitHub user profile, using GitHub's API
Author info is written to generated/authors_YYYYMMDD_HHmmss.json
, which
can be copied to authors.json
.
Note that this process sends many concurrent requests that can accidentally
DoS attack the resources (particularly npm). May need to run a few different
times until no 503s are received. To avoid throttling by GitHub's API, you
will need to provide a Personal Access Token, which can either be specified
via CLI or exported as GITHUB_TOKEN
env var.
After author data has been generated and copied over to authors.json
, a
prepublish script should be run to create an index_authors.json
file, which
is used by the main API. This is accomplished via npm run prepublish
.
ISC © Andrew Goode and Contributors
FAQs
All-star lineup of Node-based FOSS contributors
The npm package all-stars receives a total of 14 weekly downloads. As such, all-stars popularity was classified as not popular.
We found that all-stars demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Tea.xyz, a crypto project aimed at rewarding open source contributions, is once again facing backlash due to an influx of spam packages flooding public package registries.
Security News
As cyber threats become more autonomous, AI-powered defenses are crucial for businesses to stay ahead of attackers who can exploit software vulnerabilities at scale.
Security News
UnitedHealth Group disclosed that the ransomware attack on Change Healthcare compromised protected health information for millions in the U.S., with estimated costs to the company expected to reach $1 billion.