Research
Security News
Quasar RAT Disguised as an npm Package for Detecting Vulnerabilities in Ethereum Smart Contracts
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
checkForModuleDuplicates
Advanced tools
Throw an error when require() may have more than one instance of a module in it's cache due to the module being required with inconsitent module name casing.
npm install --save checkForModuleDuplicates
Check for duplicates (syncchronously):
require('checkForModuleDuplicates')();
Alternatively, you can check periodically:
require('checkForModuleDuplicates').autocheck();
If node is running on a filesystem that's case-insensitive (e.g. MacOSX), require() is case-insensitive. At least, in how it resolves to file paths. So require('foo') and require('FOO') will both resolve to the same 'Foo.js' file. However require()'s module caching is case-sensitive, meaning the module instances you get back in that case are different!
(To make matters worse, require() is case-sensitive for built-in modules. require('http') works, but require('Http') throws, thus reinforcing the naive assumption that nodes insures modules are created as singletons.)
This is the intended behavior, by the way. Unfortunately, it can lead to some really nasty bugs. Nasty, because it won't be at all obvious what the underlying cause of the problem is.
For example, I created this module because I wasted 3 hours tracking down a bug
where Sequelize was failing to generate UUIDs. The cause? The
Sequelize.UUIDV4 constant I was passing in to Sequelize came from a different
instance of the Sequelize module and, thus, wasn't actually recognized as
Sequelize.UUIDV4
. The fix was to change require('Sequelize')
to
require('sequelize')
. Everything else worked, however... there was no
indication given that I had inadvertently created a completely different
instance of the module.
So... yeah... fuck that. Never again.
FAQs
Detect possible duplicate module require() issues
We found that checkForModuleDuplicates demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
Security News
Research
A supply chain attack on Rspack's npm packages injected cryptomining malware, potentially impacting thousands of developers.
Research
Security News
Socket researchers discovered a malware campaign on npm delivering the Skuld infostealer via typosquatted packages, exposing sensitive data.