Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
checkpoint-client
Advanced tools
A TypeScript Checkpoint Client for the Checkpoint Server. Checkpoint provides version information and security alerts for your products.
import checkpoint from 'checkpoint-client'
checkpoint.check({
product: 'prisma',
version: '2.0.0',
})
npm install checkpoint-client
checkpoint.check(input: Input): Promise<Result>
Check for the latest version and inform the user of any security notices.
await checkpoint.check({
product: 'prisma',
version: '2.0.0',
})
Input
Field | Attributes | Description |
---|---|---|
product | string, required | Name of the product. Current we only support prisma . |
version | string, required | Currently installed version of the product (e.g. 1.0.0-rc0 ) |
cli_path_hash | string, required | A unique hash of the path in which the CLI is installed |
project_hash | string, required | A unique hash of the project's path, i.e.. the schema.prisma 's path |
disable | boolean, required | Disable checking for an update if it's not already cached. Useful for CI. |
endpoint | string, optional | Checkpoint server endpoint URL. Defaults to https://checkpoint.prisma.io. |
timeout | number, optional | Time in milliseconds we should wait for a response before giving up. |
arch | string, optional | Client's operating system architecture (e.g. amd64 ). |
os | string, optional | Client's operating system (e.g. darwin ). |
node_version | string, optional | Client's node version (e.g. v12.12.0 ). |
signature | string, optional | Random, non-identifiable signature to ensure alerts aren't repeated. |
cache_file | string, optional | File where we store the response for the cache_duration . |
cache_duration | number, optional | Time in milliseconds to store the response. Defaults to 12 hours. |
remind_duration | number, optional | Time in milliseconds to wait for a new reminder. Defaults to 48 hours. |
force | boolean, optional | Force a check regardless of disable or CHECKPOINT_DISABLE . |
unref | boolean, optional | Control when we should unreference the child. Use with care. |
cli_install_type | string, optional | 'local' or 'global' |
Result
The result's shape changes depending on the status
:
status: "ok"
and status: "reminded"
The ok
status occurs when we our cached result is available and valid.
type Result = {
status: 'ok'
data: Output
}
The reminded
status occurs when we recently checked the cache. This status is influenced by the remind_duration
.
type Result = {
status: 'reminded'
data: Output
}
In both cases, the Output
has the following shape:
Field | Attributes | Description |
---|---|---|
product | string, required | Product we're checking on. |
current_version | string, required | Latest version of the product. |
current_release_date | number, required | Release date of the latest version in Unix time. |
current_download_url | string, required | URL to download the latest version. |
current_changelog_url | string, required | URL to the latest version's changelog. |
project_website | string, required | Website for the project. |
outdated | boolean, required | True if the our version is outdated. |
alerts[] | Alert[], required | New security alerts or notices for this version. |
.id | string, required | ID of the alert. |
.date | string, required | Date of the alert in Unix time. |
.message | string, required | Alert message. |
.url | string, optional | URL for more information about the alert. |
.level | string, required | Severity of the alert. |
status: "waiting"
The waiting
status occurs when we don't have the cached result and we're requesting it from the checkpoint server.
type Result = {
status: 'waiting'
data: ChildProcess
}
If you like, you can pass unref: false
as input and wait for the ChildProcess
to exit. The child process prints out the Output
to stdout. You can see an example in check-version.
status: "disabled"
The disabled
status occurs when we've explicitly disabled this service. The most common case for this is in CI.
type Result = {
status: 'disabled'
}
You can see an example for this in is-ci.
Field | Attributes | Description |
---|---|---|
CHECKPOINT_DISABLE | string, optional | Disable the checkpoint client |
CHECKPOINT_TIMEOUT | string, optional | Globally set timeout for our checkpoint client |
// macOS
ls ~/Library/Caches/checkpoint-nodejs
rm -rf ~/Library/Caches/checkpoint-nodejs
// Windows
C:\Users\Jan\AppData\Local\checkpoint-nodejs
// Linux
$XDG_CACHE_HOME/checkpoint-nodejs
Or
$HOME - /home/.cache/checkpoint-nodejs
You can use ts-node
to run the examples:
npm install
npm run build
node dist/examples/is-ci.js
1.1.30
1.1.30
checkpoint-client
dependency in:
Previous instructions:
HISTORY.md
. We recommend git-changelog. Run git changelog --tag 1.1.XX
npm publish
git commit -am "Release <version>"
git tag <version>
git push --tags origin main
You can automate steps 5-7 with git-release.
The Prisma Team is behind the Checkpoint Client – chat with us on Slack!
FAQs
javascript checkpoint client
The npm package checkpoint-client receives a total of 137,982 weekly downloads. As such, checkpoint-client popularity was classified as popular.
We found that checkpoint-client demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 3 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.