Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
are-you-es5
Advanced tools
A package to help you find out which of your `node_modules` aren't ES5 so you can add them to your transpilation steps.
A package to help you find out which of your node_modules
aren't written in ES5 so you can add them to your Webpack/Rollup/Parcel transpilation steps. This is currently limited to checking the entrypoint scripts only, which might actually be enough of a check to determine if a package should be transpiled or not.
You can install the package globally with
npm install -g are-you-es5
or if you'd rather just run it immediately you can use npx:
npx are-you-es5 check /path/to/some/repo
If you've installed it globally and find it tiresome to type are-you-es5
a lot, you can alias it to es5
:
alias es5="are-you-es5"
Usage: are-you-es5 check [options] <path>
Checks if all node_modules (including monorepos) at <path> are ES5
Options:
-a, --all Check all node_modules instead of just direct dependencies
-v, --verbose Log all messages (including modules that are ES5)
--no-regex-filtering Stops all filtering on babel-loader exclude regex (does not hide anything)
-r, --regex Get babel-loader exclude regex to ignore all node_modules except non-ES5 ones, by default does not show any babel or webpack modules, use with --no-regex-filtering if you want to see everything
--silent Do not log messages in the console (except regex if --regex is used)
-h, --help output usage information
If you would like to use this package as a NodeJS library instead of a CLI dependency, you may use this snippet:
import {
checkModules,
buildIncludeRegexp,
buildExcludeRegexp
} from 'are-you-es5'
const result = checkModules({
path: '', // Automatically find up package.json from cwd
checkAllNodeModules: true,
ignoreBabelAndWebpackPackages: true
})
/** Returns the regexp including all es6 modules */
const es6IncludeRegExp = buildIncludeRegexp(result.es6Modules)
/** Returns the regexp excluding all es6 modules */
const es6ExcludeRegexp = buildExcludeRegexp(result.es6Modules)
are-you-es5 check /path/to/some/repo -r
❌ @babel/plugin-1 is not ES5
❌ @babel/plugin-2 is not ES5
Babel-loader exclude regex:
/node_modules/(?![plugin-1|plugin-2])/
If you were on version 1.1, the -a
or -all
option used to be for logging all messages, this has now changed to -v
or --verbose
and -a
and -all
are now used as a flag to check all node modules.
1.3 Now by default skips checking anything that has the word babel
or webpack
, or if a string ends with loader
.
To restore previous behavior use the --no-regex-filtering
option.
This upgrade only affects you if you were using the package as a library (instead of just a CLI tool), checkModules
now returns an object that has 3 arrays: es5Modules
, es6Modules
, and ignored
. To preserve previous behavior use es6Modules
, see the Usage as a Library section.
Thanks goes to these wonderful people (emoji key):
Clément DUNGLER 💻 | Paolo Priotto 💻 | Yuki Hattori 💻 | Renan Bandeira 💻 | Yao Zhao 💻 |
This project follows the all-contributors specification. Contributions of any kind welcome!
FAQs
A package to help you find out which of your `node_modules` aren't ES5 so you can add them to your transpilation steps.
The npm package are-you-es5 receives a total of 18,835 weekly downloads. As such, are-you-es5 popularity was classified as popular.
We found that are-you-es5 demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 2 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.