Research
Security News
Malicious npm Packages Inject SSH Backdoors via Typosquatted Libraries
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
Make like task runner
npm install bake-cli -g
Given the following Makefile
foo2:
echo foo2
foo: prefoo
echo foo
prefoo:
echo prefoo
foobar: prefoobar
echo foobar
prefoobar:
echo blahblah
all: foo foo2 foobar
Run bake
$ bake
bake info Invoking foo target
bake info Invoking prefoo target
prefoo
foo
bake info Invoking foo2 target
foo2
bake info Invoking foobar target
bake info Invoking prefoobar target
blahblah
foobar
bake info ✔ Build sucess in 41ms
$ bake <target> [options]
Options:
-h, --help Show this help
-v, --version Show package version
-d, --debug Enable extended output
Targets:
all Run target all
build Run target build
foo Run target foo
prefoo Run target prefoo
foobar Run target foobar
prefoobar Run target prefoobar
$ bake init <template> [options]
default Scaffold an ES6 setup (babel, eslint, ...)
cli Scaffold an ES6 CLI setup (minimist, ...)
Bake is a little experiment to implement a simple task runner similar to
Make in JavaScript, while bringing in the conveniency of npm scripts with
$PATH
and environment variables.
It takes a similar approach to Make with a very close syntax.
Recipes (or rules, the commands defined for a target / task), are executed with
bash -c
(similar to npm scripts).
For now, basic variable and target declarations are supported, along with basic prerequities support (eg. task depending on other tasks).
./node_modules/.bin
is made available, like npm does for npm scripts.bash -c
instead of executing each rule, line by line like Make does.todo
bake_*
similar to npm_*
available in npm scirptsBasic scaffolding command
Its purpose is to init a project Makefile with sensible defaults for various development needs.
The default list of templates should be configurable. Adding new ones or overriding existing ones should be a simple process.
Looking in
Where the templates directories have the following structure:
templates/
├── es6
│ ├── .babelrc
│ ├── .eslintrc
│ ├── Makefile
│ ├── package.json
│ └── .travis.yml
└── frontend
├── Makefile
├── package.json
└── webpack.config.js
The subdirectory name is the template name (invoked with bake init ).
If no name is defined, it defaults to "default"
Makefile
- Is the template Makefile to usepackage.json
- JSON file to merge with project's package.json (usually to include devDependencies)*.json
- Every JSON files generated is merged with existing files
(.eslintrc
and .babelrc
are handled as JSON files)The package.json file can have a "bake" field (removed when merged with package.json), with the following properties:
--help
)These hooks can be used to further customize the template generation (like
running npm install
in "scripts.install")
See the default template package.json file:
"bake": {
"description": "Scaffold a basic ES6 setup",
"scripts": {
"start": "echo Starting generation of default template",
"prestart": "echo prestart",
"poststart": "echo poststart",
"install": "npm install --loglevel http --cache-min Infinity",
"preinstall": "echo Installing dependencies ...",
"postinstall": "npm ls --depth 1"
}
}
Note --cache-min Infinity
is used to bypass the HTTP network checks to
the registry for already installed packages.
Here is a quick description of Makefiles syntax, with bake differences highlighted.
help:
echo """
Some help message here:
Run with bake help
"""
all: help
This, with Make, would throw an error
$ make help
echo """
/bin/sh: 1: Syntax error: Unterminated quoted string
Makefile:8: recipe for target 'help' failed
make: *** [help] Error 2
While, bake is ok with it
$ bake help
bake info Invoking help target
Some help message here
Run with bake help
bake info ✔ Build sucess in 43ms
somevar = anything after "=" is considered the value till the end of the line
OUT_FLAGS = output.js
build-js:
cat a.min.js b.min.js > $OUT_FLAGS
echo JS file built
The syntax and behavior is a bit different. Instead of using $(var)
syntax,
$var
is used instead (that might changed to allow bash variables within
recipes, which uses this syntax).
Use prerequities to specify tasks that depends on other tasks.
Makefile
prebuild:
echo done
build: prebuild
deploy: build
Output
$ bake deploy
bake info Invoking deploy target
bake info Invoking build target
bake info Invoking prebuild target
done
bake info ✔ Build sucess in 50ms
Recipes run in an environment very similar to the environment npm scripts are
run in, namely the PATH
environment variable.
If you depend on modules that define executable scripts, like test suites,
then those executables will be added to the PATH
for executing the scripts.
So, if your package.json has this:
{
"name" : "foo" ,
"dependencies" : { "bar" : "0.1.x" }
}
then you could run bake to execute a target that uses the bar
script, which
is exported into the node_modules/.bin
directory on npm install
.
npm test
Outputs help.
cli()
.use('bake -h')
.expect('bake <target...> [options]')
.expect('Options:')
.expect(0)
.end(done);
bake foo.
cli()
.use('bake foo')
.expect('prefoo\nblahblah\nfoo')
.expect(0)
.end(done);
bake all.
cli()
.use('bake')
.expect('prefoo\nblahblah\nfoo\nfoo2\nblahblah\nfoobar')
.expect(0)
.end(done);
bake maoow - Outputs help on UNKNOWN_TARGET.
cli()
.use('bake maoow')
.expect('bake <target...> [options]')
.expect('Options:')
.expect(0)
.end(done);
bake init.
cli({ cwd: join(__dirname, 'examples') })
.use('bake init --skip')
.expect('Running default template')
.expect(/Makefile\s+already exists, skipping/)
.expect(/Build success in \d+ms/)
.expect(0)
.end(done);
FAQs
Make like Task runner
We found that bake-cli demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
Security News
MITRE's 2024 CWE Top 25 highlights critical software vulnerabilities like XSS, SQL Injection, and CSRF, reflecting shifts due to a refined ranking methodology.
Security News
In this segment of the Risky Business podcast, Feross Aboukhadijeh and Patrick Gray discuss the challenges of tracking malware discovered in open source softare.