Security News
AI Agent Lands PRs in Major OSS Projects, Targets Maintainers via Cold Outreach
An AI agent is merging PRs into major OSS projects and cold-emailing maintainers to drum up more work.
By Sarah Gooding - Feb 14, 2026
Latest Threat Research:Malicious dYdX Packages Published to npm and PyPI After Maintainer Compromise.Details →
canvas-client
Advanced tools
canvas-client
Typescript library to make accessing the Canvas API more convenient.
Features
Typescript
The canvas client provided by this library has a lot of pre-built methods where we have carefully observed the behavior of the Canvas RESTful API and provided types that accurately reflect what it accepts and returns. The pre-built methods are not complete but they should cover the most common endpoints for server-to-server integrations like course, user, and assignment management.
Rate-limiting and token-splitting
Canvas rate-limits incoming requests to about 20 simultaneous requests per account. This can be rather problematic if you are performing server-to-server operations on behalf of the entire campus via a single service account. This library's solution is two-fold:
- Rate-limit on the client side to ensure canvas never gets overloaded. This way requests to Canvas never fail simply for rate-limiting.
- The default client-side rate limit is a conservative 10 simultaneous requests. It's configurable. If multiple instances of your app share the same token, you may want to reduce this number.
- Support multiple tokens (each MUST come from a separate user account) and load-balance requests across the tokens. This increases your total capacity.
- Note that if you run multiple instances, you STILL want to reduce the max simultaneous requests per token, to avoid getting errors when you have a backlog of requests overwhelming the capacity of your tokens.
GraphQL
We've provided a very simple method for making queries against Canvas' GraphQL API. It only takes care of the fundamentals of GraphQL. We do not provide types for
graphql queries, but the graphql method does accept a generic so that you can provide the expected return type yourself. GraphQL requests also benefit from token splitting and rate limiting. Tokens and rate limits are shared with RESTful requests.
Testing
Duplicate .env.example, rename it to .env and fill in good values for each of the variables. This will allow you to run npm test successfully.
2.0
The breaking change for 2.0 is node 18+ is required since I got rid of axios in favor of the native fetch api.
FAQs
Typescript library to make accessing the Canvas API more convenient.
The npm package canvas-client receives a total of 65 weekly downloads. As such, canvas-client popularity was classified as not popular.
We found that canvas-client demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 3 open source maintainers collaborating on the project.
Package last updated on 08 Dec 2023
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Related posts
Research
/Security News
Malicious Chrome Extension Steals Meta Business Manager Exports and TOTP 2FA Seeds
Chrome extension CL Suite by @CLMasters neutralizes 2FA for Facebook and Meta Business accounts while exfiltrating Business Manager contact and analytics data.
By Kirill Boychenko - Feb 13, 2026
Security News
AI Agent Submits PR to Matplotlib, Publishes Angry Blog Post After Rejection
After Matplotlib rejected an AI-written PR, the agent fired back with a blog post, igniting debate over AI contributions and maintainer burden.
By Sarah Gooding - Feb 12, 2026