Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
create-duffel-app
Advanced tools
Work in progress!
TODO:
A scaffolding script to bootstrap a fullstack duffel app
The script will guide you through setting up a minimal fullstack application with Duffel API. At the end of the script, you will have:
Boilerplate source:
create-react-app
(client side)express-generator
express-generator-typescript
(with a lot of simplification)If you use nvm
, run nvm use
. If you use asdf
, run asdf install
.
Like all Duffel front-ends, this project uses yarn
. If you don't already have it, nstall it globally with npm install --global yarn
.
yarn dev
This will start a typescript watcher that will regenerate index.js
. The scaffold can be run by running node index.js
or by linking the package with yarn, just like the following section.
Scaffold the sample app by running
# Within the create-duffel-app folder
yarn build && yarn link
# grant permission
chmod +x .yarn/bin/create-duffel-app
# Then on the destination folder
yarn create duffel-app
This will create an app with two folders: client
and server
. Then to run the server:
# - If express option is selected
yarn start:dev
# - if flask option is selected
chmod +x ./bin/setup.sh && ./bin/setup.sh
flask run
After this, the server will be running at http://localhost:3001.
Then to run the client, open a separate terminal and run
yarn start
To be able to publish the correct version to npm, this project is currently following Angular conventional commit message guidelines which is based on conventional commits. This commit message guideline allows the semantic-release GitHub action to be triggered.
Before creating a commit you should run a husky hook which will check if the commit structure is valid or not. If you don't want to create the commit manually, you can use yarn commit
which will use commitzen
to help you out creating the message.
Every time a commit is merged to main, a GitHub Action is run to analyse the commit messages with semantic-release
and automatically update the current version to be deployed by following semantic versioning. When the deployment is complete, the action updates the package version, using Duffel's machine user (@duffel-bot
) as the author, and this change will be automatically approved by the GitHub Action via the [autoapprove
workflow] (../.github/workflows/autoapprove.yml).
FAQs
Scaffolding a full-stack app with duffel SDK setup
We found that create-duffel-app demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.