Research
Security News
Quasar RAT Disguised as an npm Package for Detecting Vulnerabilities in Ethereum Smart Contracts
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
carpenterd-worker
Advanced tools
carpenterd-worker
carpenterd-worker
is responsible for receiving job messages from
carpenterd
and executing the builds. After fetching a
pre-installed npm
tarball from a distributed storage like amazon s3. A
workers-factory
instance will build the bundle.
npm install carpenterd-worker --save
const carpenterd = require('carpenterd-worker');
const app = new Map();
// Select the directory that contains a `config` directory so that `slay-config`
// works appropriately
app.rootDir = require('path').join(__dirname);
carpenterd(app)
.start(carpenterd.worker);
nsq
for job distribution to all the workers in given cluster.carpenterd
.See the example config config.example.json
in this repo.
notes
nsq
config option is for a fork of nsq.js
that has kubernetes
support but otherwise has the same options. Note: there is an additional
configuration option statusTopic
for setting the nsq topic that should be
written to for status updates.assets.prefix
in the config is the bucket name for where the public
CDN assets are uploaded.http
is the http port the healhcheck listens on.npm-tars
the npm tarball bucket to fetch from.database
the configuration for the database.When work is queued with carpenterd-worker
it can optionally be marked to
disable build promotion. Normally when a build completes it is marked as the
build-head. Meaning it will be the build that is used for the given
environment for that package. If the JSON status message used to queue the build
contains "promote": false
then it will be built only and not
promoted / served for the given environment.
Carpenterd-worker supports posting messages to the [warehouse.ai] status-api via NSQ. It will post messages to the nsq topic configured at:
{
// ...other configuration
"nsq": {
"statusTopic": "an-nsq-topic", // topic that you choose for the status-api to consume
// ...other nsq setup
},
// ...other configuration
}
The NSQ payloads will be object that take the form:
{
eventType: "event|error|complete", // The type of status event that occurred
name: "package-name",
env: "dev", // The environment that is being built
version: "1.2.3", // The version of the build
locale: "en-US", // (Optional) The locale that is being built
buildType: "webpack", // The type of the build (typically just webpack)
message: "Description of what happened"
}
In the status-api NSQ payload there is a field called eventType
. The
possible values that carpenterd-worker will send are:
event
- Used for interim statuses that a user might care about, but
doesn't affect/progress the overall build statuscomplete
- Used to indicate that the build is completederror
- Used to indicate that carpenterd-worker
encountered an error
and wasn't able to complete the buildThe buildType
value is parsed from the package.json
by carpenterd. The
types of supported builds are webpack
/browserify
/babel
. For a more
detailed description see carpenterd build documentation.
Run an AWS local cloud stack, pull latest
[localstack].
This requires docker
to be setup.
docker pull localstack/localstack:latest
npm run localstack
Run tests in a separate terminal.
npm test
FAQs
Receives and runs builds received from nsqd
We found that carpenterd-worker demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 16 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
Security News
Research
A supply chain attack on Rspack's npm packages injected cryptomining malware, potentially impacting thousands of developers.
Research
Security News
Socket researchers discovered a malware campaign on npm delivering the Skuld infostealer via typosquatted packages, exposing sensitive data.