Research
Security News
Malicious npm Packages Inject SSH Backdoors via Typosquatted Libraries
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
ddf-validation
Advanced tools
npm i ddf-validation -g
npm test
or npm run n-test
without eslint
validate-ddf <root> [options]
Commands:
root DDF Root directory
Options:
-i Generate index file
-j Fix wrong JSONs
--rules print information regarding supported rules
--indexless forget about ddf--index.csv and validate
--include-tags Process only issues by selected tags
--exclude-tags Process all tags except selected
--include-rules Process only issues by selected rules
--exclude-rules Process all rules except selected
--exclude-dirs Process all directories except selected
Examples:
validate-ddf ../ddf-example validate DDF datasets for the root
validate-ddf ../ddf-example -i generate ddf--index file
validate-ddf ../ddf-example -j fix JSONs for this DDF dataset
validate-ddf --rules print information regarding supported rules
validate-ddf ../ddf-example --indexless forget about ddf--index.csv and validate
validate-ddf ../ddf-example --include-rules "INCORRECT_JSON_FIELD" Validate only by INCORRECT_JSON_FIELD rule
validate-ddf ../ddf-example --exclude-tags "WARNING" Get all kinds of issues except warnings
First of all you should install this package: npm i ddf-validation
ddf-validation
can be used via an API in three different ways:
JSONValidator
)StreamValidator
)true
, otherwise - false
Some examples of API using:
Simple example
const api = require('ddf-validation');
const JSONValidator = api.JSONValidator;
const jsonValidator = new JSONValidator('path to ddf dataset');
jsonValidator.on('finish', (err, jsonIssuesContent) => {
console.log(err, jsonIssuesContent);
});
api.validate(jsonValidator);
This validator's type returns all issues as JSON object. And for this reason it's not suitable for huge DDF datasets.
const api = require('ddf-validation');
const StreamValidator = api.StreamValidator;
const streamValidator = new StreamValidator('path to ddf dataset');
streamValidator.on('issue', issue => {
// catch new issue here
});
streamValidator.on('finish', err => {
// validation is finished
});
api.validate(streamValidator);
StreamValidator returns each issue separately one by one.
It is good choice for huge DDF datasets.
StreamValidator
is the default validator.
According to the state of the dataset (valid or not) this validator returns only true or false with appropriate meaning. This is the fastest validator among given here.
const api = require('ddf-validation');
const SimpleValidator = api.SimpleValidator;
const simpleValidator = new SimpleValidator('./test/fixtures/good-folder-indexed');
simpleValidator.on('finish', (err, isDataSetCorrect) => {
// isDataSetCorrect === true if DDF dataset is correct
// isDataSetCorrect === true if DDF dataset is incorrect
});
api.validate(simpleValidator);
Also all validators supports validation parameters that corresponds with command line:
Here is an example:
const api = require('ddf-validation');
const expectedRule = 'INCORRECT_FILE';
const StreamValidator = api.StreamValidator;
const streamValidator = new StreamValidator(path, {includeRules: expectedRule});
streamValidator.on('issue', issue => {
// only one type of issue (INCORRECT_FILE) should be catched
});
streamValidator.on('finish', err => {
console.log('finished');
});
api.validate(streamValidator);
validate-ddf <folder with DDF data set> -i
Attention: existing ddf--index.csv
file will be overwritten!
npm run changelog
- generates content for CHANGELOG.md
file with changes that have happened since last releasenpm version
- this one is a bit more complicated. Let's start with what it needs in order to run.CONVENTIONAL_GITHUB_RELEASER_TOKEN
environment variable should be set up for this command:
Example: CONVENTIONAL_GITHUB_RELEASER_TOKEN=aaaaaaaaaabbbbbbbbbbccccccccccffffffffff npm version minor
this command understands following parameters:
major
(having initially version 0.0.0 by applying this option it will be changed to 1.0.0).
Example:
CONVENTIONAL_GITHUB_RELEASER_TOKEN=aaaaaaaaaabbbbbbbbbbccccccccccffffffffff npm version major
minor
(having initially version 0.0.0 by applying this option it will be changed to 0.1.0)
Example:
CONVENTIONAL_GITHUB_RELEASER_TOKEN=aaaaaaaaaabbbbbbbbbbccccccccccffffffffff npm version minor
patch
(having initially version 0.0.0 by applying this option it will be changed to 0.0.1)
Example:
CONVENTIONAL_GITHUB_RELEASER_TOKEN=aaaaaaaaaabbbbbbbbbbccccccccccffffffffff npm version patch
During the release process two files will be changed and pushed to github:
Note: aaaaaaaaaabbbbbbbbbbccccccccccffffffffff
- is the fake token. In order to generate proper one you need to do following: github tutorial
Important note: you should merge development
branch into master
and performing npm verison
on master
branch according to our gitflow
Even more important note: while generating token (using tutorial given above) you need to choose which permissions should be granted to it. For our release purposes you need to choose all permissions under the section repo
FAQs
DDF validion tool
We found that ddf-validation demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 5 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
Security News
MITRE's 2024 CWE Top 25 highlights critical software vulnerabilities like XSS, SQL Injection, and CSRF, reflecting shifts due to a refined ranking methodology.
Security News
In this segment of the Risky Business podcast, Feross Aboukhadijeh and Patrick Gray discuss the challenges of tracking malware discovered in open source softare.