Security News
The Hidden Blast Radius of the Axios Compromise
The Axios compromise shows how time-dependent dependency resolution makes exposure harder to detect and contain.
By Ahmad Nassri - Apr 01, 2026
New Research: Supply Chain Attack on Axios Pulls Malicious Dependency from npm.Details → →
cvx
a distributed command framework
About
cvx is a small library to help you create your own distributed command-line interfaces!
Distributed means that none of the commands are in a central place, instead
they are executed directly from the npm registry, using a little tool called npx.
This means that your commands are always extendable, and Very Fast.
For example, it is extremely easy to build a tool similar to Yeoman. You'd use it like this:
yo my-template
Using cvx, you would just need to publish a npm package called generator-my-template
that exposes a binary of the same name, and that would be it! No more setup would
be required.
Installation
You need Node.js 7.6 or higher.
npm install cvx
Example
Let's quickly implement the Yeoman example from above:
const cvx = require('cvx')
// this is our main function!
// it's an async function because it implicitly returns a promise. don't
// think too much about it, it's not important right now
cvx(async cmd => {
// cmd is our 'command object'. it's basically a way to keep state,
// such as config and hooks
// let's give it a prefix and our command-line arguments:
cmd.config({
prefix: 'generator-',
args: process.argv
})
// that's it! now we return the cmd object
return cmd
})
Now, if you run:
node example.js my-template
# or, had we set it up as an executable:
./example.js my-template
This will automatically download and execute generator-my-template from npm.
API
cvx(function (cmd))
Constructs a command. This function takes another function that basically 'describes' how the whole thing behaves when it's executed. It looks a bit like this:
cvx(async cmd => {
// your definition here
return cmd
})
The inner function takes a cmd parameter. This object basically keeps all of
the state. The function needs to return cmd, wrapped in a promise. Thankfully,
this is made easy by just prefixing the function with async, which automatically
makes it return a promise.
cmd.config(conf)
Configures the command. If conf is blank, uses the default config:
- prefix: What the npm package lookup is prefixed by. Default:
'' - args: The command line arguments. Required.
cmd.pre(fn)
Registers a hook to run before the main command is run. The inner function takes
the current cmd state as a parameter, and can modify it. Needs to return cmd.
cmd.post(fn)
Like cmd.pre, but runs after command execution.
Maintainers
- Olivia Hugger <olivia@fastmail.com>
Code of Conduct
This repository operates under the weallbehave Code of Conduct. Its contents can be found in CODE_OF_CONDUCT.md.
License
MIT (see LICENSE document)
FAQs
distributed command facilitator
We found that cvx demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Package last updated on 18 Jul 2017
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Related posts
Research
Supply Chain Attack on Axios Pulls Malicious Dependency from npm
A supply chain attack on Axios introduced a malicious dependency, plain-crypto-js@4.2.1, published minutes earlier and absent from the project’s GitHub releases.
By Socket Research Team - Mar 31, 2026
Research
TeamPCP Compromises Telnyx Python SDK to Deliver Credential-Stealing Malware
Malicious versions of the Telnyx Python SDK on PyPI delivered credential-stealing malware via a multi-stage supply chain attack.
By Socket Research Team - Mar 27, 2026