Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Bluebird is a fully-featured Promise library for JavaScript. It allows for advanced features such as promise chaining, concurrency control, and error handling. It is known for its performance and useful utilities for working with asynchronous operations in JavaScript.
Promisification
Converts Node.js callback-style functions to return a Bluebird promise. In this example, the 'fs' module's 'readFile' function is promisified to use promises instead of callbacks.
const Promise = require('bluebird');
const fs = Promise.promisifyAll(require('fs'));
fs.readFileAsync('example.txt', 'utf8').then(contents => {
console.log(contents);
}).catch(error => {
console.error('Error reading file', error);
});
Promise Chaining
Allows for chaining multiple asynchronous operations where each step waits for the previous one to complete. Errors can be caught and handled gracefully.
const Promise = require('bluebird');
Promise.resolve(1)
.then(x => x + 1)
.then(x => { throw new Error('Something went wrong'); })
.catch(Error, e => console.error(e.message));
Concurrency Control
Provides utilities to control the concurrency of multiple promises. The 'map' function here runs a maximum of two promises in parallel.
const Promise = require('bluebird');
const tasks = [/* array of functions that return promises */];
Promise.map(tasks, task => task(), { concurrency: 2 })
.then(results => {
console.log('All tasks completed', results);
});
Error Handling
Offers a clean syntax for error handling in promise chains. The 'try' method is used to start a promise chain with error handling.
const Promise = require('bluebird');
Promise.try(() => {
throw new Error('Something failed');
}).catch(Error, e => {
console.error('Caught an error:', e.message);
});
Q is an earlier promise library that provides similar features to Bluebird, such as promise creation, chaining, and advanced error handling. However, Bluebird is generally considered to be faster and more feature-rich.
When.js is another promise library with API methods for creating and working with promises. It is smaller and has a simpler API compared to Bluebird, but lacks some of the utilities and performance optimizations.
ES6-Promise is a polyfill for the ES6 Promise specification. It provides basic promise functionality but does not include the additional utilities and features that Bluebird offers.
This package is a simple implementation of Promises/A+. It is lightweight and doesn't have the extra features that Bluebird provides, focusing instead on a minimal API.
#Introduction
Bluebird is a fully featured promise library with focus on innovative features and performance.
#Topics
#Features:
.bind
Passes AP2, AP3, Cancellation, Progress, Q and When.js tests. See testing.
#Quick start
##Node.js
npm install bluebird
Then:
var Promise = require("bluebird");
##Browsers
Download the bluebird.js file. And then use a script tag:
<script type="text/javascript" src="/scripts/bluebird.js"></script>
The global variable Promise
becomes available after the above script tag.
####Browser support
Browsers that implement ECMA-262, edition 3 and later are supported.
Note that in ECMA-262, edition 3 (IE7, IE8 etc) it is not possible to use methods that have keyword names like .catch
and .finally
. The API documentation always lists a compatible alternative name that you can use if you need to support these browsers. For example .catch
is replaced with .caught
and .finally
with .lastly
.
Also, long stack trace support is only available in Chrome and Firefox.
Previously bluebird required es5-shim.js and es5-sham.js to support Edition 3 - these are no longer required as of 0.10.4.
After quick start, see API Reference and examples
#What are promises and why should I use them?
You should use promises to turn this:
readFile("file.json", function(err, val) {
if( err ) {
console.error("unable to read file");
}
else {
try {
val = JSON.parse(val);
console.log(val.success);
}
catch( e ) {
console.error("invalid json in file");
}
}
});
Into this:
readFile("file.json").then(JSON.parse).then(function(val) {
console.log(val.success);
})
.catch(SyntaxError, function(e) {
console.error("invalid json in file");
})
.catch(function(e){
console.error("unable to read file")
});
Actually you might notice the latter has a lot in common with code that would do the same using synchronous I/O:
try {
var val = JSON.parse(readFile("file.json"));
console.log(val.success);
}
//Syntax actually not supported in JS but drives the point
catch(SyntaxError e) {
console.error("invalid json in file");
}
catch(Error e) {
console.error("unable to read file")
}
And that is the point - being able to have something that is a lot like return
and throw
in synchronous code.
You can also use promises to improve code that was written with callback helpers:
//Copyright Plato http://stackoverflow.com/a/19385911/995876
//CC BY-SA 2.5
mapSeries(URLs, function (URL, done) {
var options = {};
needle.get(URL, options, function (error, response, body) {
if (error) {
return done(error)
}
try {
var ret = JSON.parse(body);
return done(null, ret);
}
catch (e) {
done(e);
}
});
}, function (err, results) {
if (err) {
console.log(err)
} else {
console.log('All Needle requests successful');
// results is a 1 to 1 mapping in order of URLs > needle.body
processAndSaveAllInDB(results, function (err) {
if (err) {
return done(err)
}
console.log('All Needle requests saved');
done(null);
});
}
});
Is more pleasing to the eye when done with promises:
Promise.promisifyAll(needle);
var options = {};
var current = Promise.fulfilled();
Promise.map(URLs, function(URL) {
current = current.then(function () {
return needle.getAsync(URL, options);
});
return current;
}).map(function(responseAndBody){
return JSON.parse(responseAndBody[1]);
}).then(function (results) {
return processAndSaveAllInDB(results);
}).then(function(){
console.log('All Needle requests saved');
}).catch(function (e) {
console.log(e);
});
Also promises don't just give you correspondences for synchronous features but can also be used as limited event emitters or callback aggregators.
More reading:
#Error handling
This is a problem every promise library needs to handle in some way. Unhandled rejections/exceptions don't really have a good agreed-on asynchronous correspondence. The problem is that it is impossible to predict the future and know if a rejected promise will eventually be handled.
There are two common pragmatic attempts at solving the problem that promise libraries do.
The more popular one is to have the user explicitly communicate that they are done and any unhandled rejections should be thrown, like so:
download().then(...).then(...).done();
For handling this problem, in my opinion, this is completely unacceptable and pointless. The user must remember to explicitly call .done
and that cannot be justified when the problem is forgetting to create an error handler in the first place.
The second approach, which is what bluebird by default takes, is to call a registered handler if a rejection is unhandled by the start of a second turn. The default handler is to write the stack trace to stderr or console.error
in browsers. This is close to what happens with synchronous code - your code doens't work as expected and you open console and see a stack trace. Nice.
Of course this is not perfect, if your code for some reason needs to swoop in and attach error handler to some promise after the promise has been hanging around a while then you will see annoying messages. In that case you can use the .done()
method to signal that any hanging exceptions should be thrown.
If you want to override the default handler for these possibly unhandled rejections, you can pass yours like so:
Promise.onPossiblyUnhandledRejection(function(error){
throw error;
});
If you want to also enable long stack traces, call:
Promise.longStackTraces();
right after the library is loaded.
In node.js use the environment flag BLUEBIRD_DEBUG
:
BLUEBIRD_DEBUG=1 node server.js
to enable long stack traces in all instances of bluebird.
Long stack traces cannot be disabled after being enabled, and cannot be enabled after promises have alread been created. Long stack traces imply a substantial performance penalty, even after using every trick to optimize them.
Long stack traces are enabled by default in the debug build.
####Expected and unexpected errors
A practical problem with Promises/A+ is that it models Javascript try-catch
too closely for its own good. Therefore by default promises inherit try-catch
warts such as the inability to specify the error types that the catch block is eligible for. It is an anti-pattern in every other language to use catch-all handlers because they swallow exceptions that you might not know about.
Now, Javascript does have a perfectly fine and working way of creating error type hierarchies. It is still quite awkward to use them with the built-in try-catch
however:
try {
//code
}
catch(e) {
if( e instanceof WhatIWantError) {
//handle
}
else {
throw e;
}
}
Without such checking, unexpected errors would be silently swallowed. However, with promises, bluebird brings the future (hopefully) here now and extends the .catch
to accept potential error type eligibility.
For instance here it is expected that some evil or incompetent entity will try to crash our server from SyntaxError
by providing syntactically invalid JSON:
getJSONFromSomewhere().then(function(jsonString) {
return JSON.parse(jsonString);
}).then(function(object) {
console.log("it was valid json: ", object);
}).catch(SyntaxError, function(e){
console.log("don't be evil");
});
Here any kind of unexpected error will automatically reported on stderr along with a stack trace because we only register a handler for the expected SyntaxError
.
Ok, so, that's pretty neat. But actually not many libraries define error types and it is in fact a complete ghetto out there with ad hoc strings being attached as some arbitrary property name like .name
, .type
, .code
, not having any property at all or even throwing strings as errors and so on. So how can we still listen for expected errors?
Bluebird defines a special error type RejectionError
(you can get a reference from Promise.RejectionError
). This type of error is given as rejection reason by promisified methods when
their underlying library gives an untyped, but expected error. Primitives such as strings, and error objects that are directly created like new Error("database didn't respond")
are considered untyped.
Example of such library is the node core library fs
. So if we promisify it, we can catch just the errors we want pretty easily and have programmer errors be redirected to unhandled rejection handler so that we notice them:
//Read more about promisification in the API Reference:
//https://github.com/petkaantonov/bluebird/blob/master/API.md
var fs = Promise.promisifyAll(require("fs"));
fs.readFileAsync("myfile.json").then(JSON.parse).then(function (json) {
console.log("Successful json")
}).catch(SyntaxError, function (e) {
console.error("file contains invalid json");
}).catch(Promise.RejectionError, function (e) {
console.error("unable to read file, because: ", e.message);
});
The last catch
handler is only invoked when the fs
module explicitly used the err
argument convention of async callbacks to inform of an expected error. The RejectionError
instance will contain the original error in its .cause
property but it does have a direct copy of the .message
and .stack
too. In this code any unexpected error - be it in our code or the fs
module - would not be caught by these handlers and therefore not swallowed.
Since a catch
handler typed to Promise.RejectionError
is expected to be used very often, it has a neat shorthand:
.error(function (e) {
console.error("unable to read file, because: ", e.message);
});
See API documentation for .error()
Finally, Bluebird also supports predicate-based filters. If you pass a predicate function instead of an error type, the predicate will receive the error as an argument. The return result will be used determine whether the error handler should be called.
Predicates should allow for very fine grained control over caught errors: pattern matching, error typesets with set operations and many other techniques can be implemented on top of them.
Example of using a predicate-based filter:
var Promise = require("bluebird");
var request = Promise.promisify(require("request"));
function clientError(e) {
return e.code >= 400 && e.code < 500;
}
request("http://www.google.com").then(function(contents){
console.log(contents);
}).catch(clientError, function(e){
//A client error like 400 Bad Request happened
});
####How do long stack traces differ from e.g. Q?
Bluebird attempts to have more elaborate traces. Consider:
Error.stackTraceLimit = 25;
Q.longStackSupport = true;
Q().then(function outer() {
return Q().then(function inner() {
return Q().then(function evenMoreInner() {
a.b.c.d();
}).catch(function catcher(e){
console.error(e.stack);
});
})
});
You will see
ReferenceError: a is not defined
at evenMoreInner (<anonymous>:7:13)
From previous event:
at inner (<anonymous>:6:20)
Compare to:
Error.stackTraceLimit = 25;
Promise.longStackTraces();
Promise.fulfilled().then(function outer() {
return Promise.fulfilled().then(function inner() {
return Promise.fulfilled().then(function evenMoreInner() {
a.b.c.d()
}).catch(function catcher(e){
console.error(e.stack);
});
});
});
ReferenceError: a is not defined
at evenMoreInner (<anonymous>:7:13)
From previous event:
at inner (<anonymous>:6:36)
From previous event:
at outer (<anonymous>:5:32)
From previous event:
at <anonymous>:4:21
at Object.InjectedScript._evaluateOn (<anonymous>:572:39)
at Object.InjectedScript._evaluateAndWrap (<anonymous>:531:52)
at Object.InjectedScript.evaluate (<anonymous>:450:21)
A better and more practical example of the differences can be seen in gorgikosev's debuggability competition.
####Can I use long stack traces in production?
Probably yes. Bluebird uses multiple innovative techniques to optimize long stack traces. Even with long stack traces, it is still way faster than similarly featured implementations that don't have long stack traces enabled and about same speed as minimal implementations. A slowdown of 4-5x is expected, not 50x.
What techniques are used?
#####V8 API second argument
This technique utilizes the slightly under-documented second argument of V8 Error.captureStackTrace
. It turns out that the second argument can actually be used to make V8 skip all library internal stack frames for free. It only requires propagation of callers manually in library internals but this is not visible to you as user at all.
Without this technique, every promise (well not every, see second technique) created would have to waste time creating and collecting library internal frames which will just be thrown away anyway. It also allows one to use smaller stack trace limits because skipped frames are not counted towards the limit whereas with collecting everything upfront and filtering afterwards would likely have to use higher limits to get more user stack frames in.
#####Sharing stack traces
Consider:
function getSomethingAsync(fileName) {
return readFileAsync(fileName).then(function(){
//...
}).then(function() {
//...
}).then(function() {
//...
});
}
Everytime you call this function it creates 4 promises and in a straight-forward long stack traces implementation it would collect 4 almost identical stack traces. Bluebird has a light weight internal data-structure (kcnown as context stack in the source code) to help tracking when traces can be re-used and this example would only collect one trace.
#####Lazy formatting
After a stack trace has been collected on an object, one must be careful not to reference the .stack
property until necessary. Referencing the property causes
an expensive format call and the stack property is turned into a string which uses much more memory.
What about Q #111?
Long stack traces is not inherently the problem. For example with latest Q with stack traces disabled:
var Q = require("q");
function test(i){
if (i <= 0){
return Q.when('done')
} else {
return Q.when(i-1).then(test)
}
}
test(1000000000).then(function(output){console.log(output) });
After 2 minutes of running this, it will give:
FATAL ERROR: CALL_AND_RETRY_LAST Allocation failed - process out of memory
So the problem with this is how much absolute memory is used per promise - not whether long traces are enabled or not.
For some purpose, let's say 100000 parallel pending promises in memory at the same time is the maximum. You would then roughly use 100MB for them instead of 10MB with stack traces disabled.For comparison, just creating 100000 functions alone will use 14MB if they're closures. All numbers can be halved for 32-bit node.
#Development
For development tasks such as running benchmarks or testing, you need to clone the repository and install dev-dependencies.
git clone git@github.com:petkaantonov/bluebird.git
cd bluebird
npm install
##Testing
To run all tests, run grunt test
. Note that 10 processes are created to run the tests in parallel. The stdout of tests is ignored by default and everything will stop at the first failure.
Individual files can be run with grunt test --run=filename
where filename
is a test file name in /test
folder or /test/mocha
folder. The .js
prefix is not needed. The dots for AP compliance tests are not needed, so to run /test/mocha/2.3.3.js
for instance:
grunt test --run=233
When trying to get a test to pass, run only that individual test file with --verbose
to see the output from that test:
grunt test --run=233 --verbose
The reason for the unusual way of testing is because the majority of tests are from different libraries using different testing frameworks and because it takes forever to test sequentially.
###Testing in browsers
To test in browsers:
cd browser
setup
Then open the index.html
in your browser. Requires bash (on windows the mingw32 that comes with git works fine too).
You may also visit the github hosted page.
Keep the test tab active because some tests are timing-sensitive and will fail if the browser is throttling timeouts. Chrome will do this for example when the tab is not active.
##Benchmarks
To run a benchmark, run the given command for a benchmark while on the project root. Requires bash (on windows the mingw32 that comes with git works fine too).
Node 0.11.2+ is required to run the generator examples.
###1. DoxBee sequential
Currently the most relevant benchmark is @gorkikosev's benchmark in the article Analysis of generators and other async patterns in node. The benchmark emulates a situation where n amount of users are making a request in parallel to execute some mixed async/sync action. The benchmark has been modified to include a warm-up phase to minimize any JITing during timed sections.
Command: bench doxbee
###2. Made-up parallel
This made-up scenario runs 15 shimmed queries in parallel.
Command: bench parallel
##Custom builds
Custom builds for browsers are supported through a command-line utility.
<tr><td><a href="https://github.com/petkaantonov/bluebird/blob/master/API.md#any---promise"><code>.any</code></a> and <a href="https://github.com/petkaantonov/bluebird/blob/master/API.md#promiseanyarraydynamicpromise-values---promise"><code>Promise.any</code></a></td><td><code>any</code></td></tr>
<tr><td><a href="https://github.com/petkaantonov/bluebird/blob/master/API.md#race---promise"><code>.race</code></a> and <a href="https://github.com/petkaantonov/bluebird/blob/master/API.md#promiseracearraypromise-promises---promise"><code>Promise.race</code></a></td><td><code>race</code></td></tr>
<tr><td><a href="https://github.com/petkaantonov/bluebird/blob/master/API.md#callstring-propertyname--dynamic-arg---promise"><code>.call</code></a> and <a href="https://github.com/petkaantonov/bluebird/blob/master/API.md#getstring-propertyname---promise"><code>.get</code></a></td><td><code>call_get</code></td></tr>
<tr><td><a href="https://github.com/petkaantonov/bluebird/blob/master/API.md#filterfunction-filterer---promise"><code>.filter</code></a> and <a href="https://github.com/petkaantonov/bluebird/blob/master/API.md#promisefilterarraydynamicpromise-values-function-filterer---promise"><code>Promise.filter</code></a></td><td><code>filter</code></td></tr>
<tr><td><a href="https://github.com/petkaantonov/bluebird/blob/master/API.md#mapfunction-mapper---promise"><code>.map</code></a> and <a href="https://github.com/petkaantonov/bluebird/blob/master/API.md#promisemaparraydynamicpromise-values-function-mapper---promise"><code>Promise.map</code></a></td><td><code>map</code></td></tr>
<tr><td><a href="https://github.com/petkaantonov/bluebird/blob/master/API.md#reducefunction-reducer--dynamic-initialvalue---promise"><code>.reduce</code></a> and <a href="https://github.com/petkaantonov/bluebird/blob/master/API.md#promisereducearraydynamicpromise-values-function-reducer--dynamic-initialvalue---promise"><code>Promise.reduce</code></a></td><td><code>reduce</code></td></tr>
<tr><td><a href="https://github.com/petkaantonov/bluebird/blob/master/API.md#props---promise"><code>.props</code></a> and <a href="https://github.com/petkaantonov/bluebird/blob/master/API.md#promisepropsobjectpromise-object---promise"><code>Promise.props</code></a></td><td><code>props</code></td></tr>
<tr><td><a href="https://github.com/petkaantonov/bluebird/blob/master/API.md#settle---promise"><code>.settle</code></a> and <a href="https://github.com/petkaantonov/bluebird/blob/master/API.md#promisesettlearraydynamicpromise-values---promise"><code>Promise.settle</code></a></td><td><code>settle</code></td></tr>
<tr><td><a href="https://github.com/petkaantonov/bluebird/blob/master/API.md#someint-count---promise"><code>.some</code></a> and <a href="https://github.com/petkaantonov/bluebird/blob/master/API.md#promisesomearraydynamicpromise-values-int-count---promise"><code>Promise.some</code></a></td><td><code>some</code></td></tr>
<tr><td><a href="https://github.com/petkaantonov/bluebird/blob/master/API.md#nodeifyfunction-callback---promise"><code>.nodeify</code></a></td><td><code>nodeify</code></td></tr>
<tr><td><a href="https://github.com/petkaantonov/bluebird/blob/master/API.md#promisecoroutinegeneratorfunction-generatorfunction---function"><code>Promise.coroutine</code></a> and <a href="https://github.com/petkaantonov/bluebird/blob/master/API.md#promisespawngeneratorfunction-generatorfunction---promise"><code>Promise.spawn</code></a></td><td><code>generators</code></td></tr>
<tr><td><a href="https://github.com/petkaantonov/bluebird/blob/master/API.md#progression">Progression</a></td><td><code>progress</code></td></tr>
<tr><td><a href="https://github.com/petkaantonov/bluebird/blob/master/API.md#promisification">Promisification</a></td><td><code>promisify</code></td></tr>
<tr><td><a href="https://github.com/petkaantonov/bluebird/blob/master/API.md#cancellation">Cancellation</a></td><td><code>cancel</code></td></tr>
<tr><td><a href="https://github.com/petkaantonov/bluebird/blob/master/API.md#synchronous-inspection">Synchronous inspection</a></td><td><code>synchronous_inspection</code></td></tr>
<tr><td><a href="https://github.com/petkaantonov/bluebird/blob/master/API.md#timers">Timers</a></td><td><code>timers</code></td></tr>
</tbody>
Feature(s) | Command line identifier |
---|
Make sure you have cloned the repo somewhere and did npm install
successfully.
After that you can run:
grunt build --features="core"
The above builds the most minimal build you can get. You can add more features separated by spaces from the above list:
grunt build --features="core filter map reduce"
The custom build file will be found from /js/browser/bluebird.js
. It will have a comment that lists the disabled and enabled features.
Note that the build leaves the /js/main
etc folders with same features so if you use the folder for node.js at the same time, don't forget to build
a full version afterwards (after having taken a copy of the bluebird.js somewhere):
grunt build
##For library authors
Building a library that depends on bluebird? You should know about a few features.
If your library needs to do something obtrusive like adding or modifying methods on the Promise
prototype, uses long stack traces or uses a custom unhandled rejection handler then... that's totally ok as long as you don't use require("bluebird")
. Instead you should create a file
that creates an isolated copy. For example, creating a file called bluebird-extended.js
that contains:
//NOTE the function call right after
module.exports = require("bluebird/js/main/promise")();
Your library can then use var Promise = require("bluebird-extended");
and do whatever it wants with it. Then if the application or other library uses their own bluebird promises they will all play well together because of Promises/A+ thenable assimilation magic.
You should also know about .nodeify()
which makes it easy to provide a dual callback/promise API.
##What is the sync build?
You may now use sync build by:
var Promise = require("bluebird/zalgo");
The sync build is provided to see how forced asynchronity affects benchmarks. It should not be used in real code due to the implied hazards.
The normal async build gives Promises/A+ guarantees about asynchronous resolution of promises. Some people think this affects performance or just plain love their code having a possibility of stack overflow errors and non-deterministic behavior.
The sync build skips the async call trampoline completely, e.g code like:
async.invoke( this.fn, this, val );
Appears as this in the sync build:
this.fn(val);
This should pressure the CPU slightly less and thus the sync build should perform better. Indeed it does, but only marginally. The biggest performance boosts are from writing efficient Javascript, not from compromising determinism.
Note that while some benchmarks are waiting for the next event tick, the CPU is actually not in use during that time. So the resulting benchmark result is not completely accurate because on node.js you only care about how much the CPU is taxed. Any time spent on CPU is time the whole process (or server) is paralyzed. And it is not graceful like it would be with threads.
var cache = new Map(); //ES6 Map or DataStructures/Map or whatever...
function getResult(url) {
var resolver = Promise.pending();
if (cache.has(url)) {
resolver.fulfill(cache.get(url));
}
else {
http.get(url, function(err, content) {
if (err) resolver.reject(err);
else {
cache.set(url, content);
resolver.fulfill(content);
}
});
}
return resolver.promise;
}
//The result of console.log is truly random without async guarantees
function guessWhatItPrints( url ) {
var i = 3;
getResult(url).then(function(){
i = 4;
});
console.log(i);
}
#Optimization guide
Articles about optimization will be periodically posted in the wiki section, polishing edits are welcome.
A single cohesive guide compiled from the articles will probably be done eventually.
#License
Copyright (c) 2013 Petka Antonov
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
FAQs
Full featured Promises/A+ implementation with exceptionally good performance
The npm package bluebird receives a total of 22,138,278 weekly downloads. As such, bluebird popularity was classified as popular.
We found that bluebird demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.