Research
Security News
Quasar RAT Disguised as an npm Package for Detecting Vulnerabilities in Ethereum Smart Contracts
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
A small module designed to convert relative asset URL's in CSS files into absolute URL's for deployment to a combo handled CDN (yui.yahooapis.com).
When you request a CSS file from a server with a ComboHandler on it, relative CSS assets are broken by default.
If your CSS looks like this:
.foo {
background-image: url( foo.png );
}
Located in a file with this path: foo/bar/baz/main.css
Loaded from a ComboHandler like this: /combo?foo/bar/baz/main.css
Your Image will resolve to: /combo/foo.png
When it should resolve to: /foo/bar/baz/foo.png
That's what this module does!
npm install cssproc
As a file (from examples/file/
):
var cssproc = require('../../lib'),
path = require('path'),
fs = require('fs');
var file = path.join(__dirname, 'a1/f1/f2/test.css');
fs.readFile(file, 'utf8', function(err, data) {
cssproc.parse({
root: __dirname,
path: file,
base: 'http://yui.yahooapis.com/gallery-123456/'
}, data, function(err, str) {
console.log(str);
});
});
It could also be used inside of a combo handler
The value of base
could be:
http://foobar.com/path/to
where protocol will be forced to HTTPhttps://foobar.com/path/to
where protocol will be forced to SSL//foobar.com/path/to
which is protocol agnostic where it uses the protocol for the css file that contains the images./path/to
for absolute paths where it uses the domain and protocol from the css file that contains the images.['server1.com/path/to', 'server2.com/path/to', etc]
an array of hosts to loop through and alternate in the file.FAQs
CSS URL processor
The npm package cssproc receives a total of 13,842 weekly downloads. As such, cssproc popularity was classified as popular.
We found that cssproc demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 3 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
Security News
Research
A supply chain attack on Rspack's npm packages injected cryptomining malware, potentially impacting thousands of developers.
Research
Security News
Socket researchers discovered a malware campaign on npm delivering the Skuld infostealer via typosquatted packages, exposing sensitive data.