Research
Security News
Malicious npm Packages Inject SSH Backdoors via Typosquatted Libraries
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
codependency
Advanced tools
Node's peer dependencies are automatically installed when the middleware that refers to them is installed. Just because your middleware supports 16 database systems, doesn't mean your end user wants to install all those drivers.
For those cases, you'll want to use codependency
. Simply add your peer dependencies to your
package.json
file, in a field called "optionalPeerDependencies"
and use the require()
function from this library. It will give you:
npm install codependency
Middleware package.json
{
"name": "mymiddleware",
"optionalPeerDependencies": {
"redis": "~0.9.0",
"mysql": "~2.0.0"
}
}
Setting up and using a require-function from the middleware
var codependency = require('codependency');
var requirePeer = codependency.register(module);
var redis = requirePeer('redis');
From another file, you can now easily use the middleware's require function for peers:
var codependency = require('codependency');
var requirePeer = codependency.get('mymiddleware');
var redis = requirePeer('redis');
var codependency = require('codependency');
var requirePeer = codependency.register(module, {
index: ['optionalPeerDependencies', 'devDependencies']
});
// require redis, but don't throw an error if the module is not found
var redis = requirePeer('redis', { optional: true }); // returns undefined
codependency.register(module, options)
The module
argument must be the root module of the middleware. Its location is the basis for the
search for package.json
, which is to contain the peer dependencies hashmap. Its parent will be
used to require from. This allows you to work on middleware development, while symlinking to it
from your end-user project. For example:
/home/bob/todolist/node_modules/mymiddleware -> /home/bob/mymiddleware
The options
object may contain an index
property, which defaults to the array
["optionalPeerDependencies"]. Override it to change which properties of your package.json will be
used to index.
If the module
argument is not the root module you may set the options.strictCheck
property to false
to search for package.json
in a parent directory.
This function returns a require
function, which has the following signature:
requirePeer(name, options)
The name
argument is the name of one of your peer dependencies. It will be required and returned.
The options
object may contain one of the following:
It also has a resolve method which can give you information about a peer dependency before requiring it.
requirePeer.resolve(name)
The name
argument is the name of one of your peer dependencies. The returned object has the
following signature:
{
"supportedRange": "2.5.1",
"installedVersion": "2.5.1",
"isInstalled": true,
"isValid": true,
"pkgPath": "zmq/package.json"
}
supportedRange
is the range that the middleware explicitly supports.installedVersion
is the version that is currently installed (null if none).isInstalled
indicates if the dependency has been installed.isValid
indicates if the installed version is valid within the supported range.pkgPath
is a path to package.json of the dependency, used internally by requirePeer()
.During a peer-require, a user may encounter the following exceptions:
FAQs
Optional peer dependencies
We found that codependency demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 2 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
Security News
MITRE's 2024 CWE Top 25 highlights critical software vulnerabilities like XSS, SQL Injection, and CSRF, reflecting shifts due to a refined ranking methodology.
Security News
In this segment of the Risky Business podcast, Feross Aboukhadijeh and Patrick Gray discuss the challenges of tracking malware discovered in open source softare.