Research
Security News
Malicious npm Packages Inject SSH Backdoors via Typosquatted Libraries
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
This library houses 3 popularity estimating algorithms employed by bigger news sites used to sort for best content:
wilsonScore
- Reddit's best comment scoring systemredditHot
- Reddit's hot post scoring system for news postshackerHot
- Hackernews' scoring systemAlgorithms may cause scores to decay based on distance to post time.
Algorithms that are designed to decay based on time needs continual recomputation of scores. An example of doing so would be keeping track of, and periodically computing the score(s) required in a node process on a set of suitable candidates:
var decay = require('decay')
, hotScore = decay.redditHot();
setInterval(function () {
candidates = []; // perhaps get recent posts saved in db here
candidates.forEach(function (c) {
c.score = hotScore(c.upVotes, c.dnVotes, c.date);
// save so that next GET /entry/ gets an updated ordering
save(c);
});
}, 1000 * 60 * 5); // run every 5 minutes, say
Algorithms that produce a time agnostic popularity score is typically good for comments. For best results, simply recompute the score at every new vote:
var decay = require('decay')
, wilsonScore = decay.wilsonScore();
// assume req.entry is the item being voted on
app.post('/entry/upvote', middleWare, function (req, res) {
// call wilsonScore with ups, downs, post_date to recompute
req.entry.score = wilsonScore(req.entry.upVotes + 1, req.entry.dnVotes, req.entry.postDate);
// save new score in database so that new pageviews sort
save(req.entry);
});
Decay exports 3 scoring function factories.
Two of these algorithms decay with time, and the other is based purely on statistical popularity.
// 1. zero decay
var wilsonScore = decay.wilsonScore(zScore);
var score = wilsonScore(upVotes, downVotes);
// 2. decays
var redditHotScore = decay.redditHot(halflife);
var score = redditHotScore(upVotes, downVotes, date);
// 3. decays
var hackerHotScore = decay.hackerHot(gravity);
var score = hackerHotScore(upVotes, date);
AKA Reddit's Best comment sorting system. Source
Statistically, it is the lower bound of the Wilson Score interval at the alpha level based on supplied Z score.
The optional zScore
parameter can be passed as to the exported wilsonScore
factory.
The Z score is a statistical value which roughly means how many standard deviations of safety you want, so it maps directly onto the confidence level of the Wilson Score interval.
It will default to z=1.96
if left out, representing a 95%
confidence level in the lower bound. Otherwise, values through 1.0
(69%), to 3.3
(99.9%) good alternatives.
Based on the difference between ups/downs, and decays with time. Causes hive mind effects in large crowds.
An optional halflife parameter can be passed to the exported redditHot
factory.
The half-life defaults to 45000 [s]. For info on the effects on this parameter read the original blog post about it. See also the canonical reddit source version.
Based on simply the amount of upvotes, and decays with time. Prone to advertising abuse.
An optional gravity
parameter (defaulting to 1.8
) can be passed to the exported hackerHot
factory. For info on the effects of this parameter read the original blog post about it.
$ npm install decay
MIT-Licensed. See LICENSE file for details.
FAQs
Famous sorting algorithms based on vote popularity and time
We found that decay demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
Security News
MITRE's 2024 CWE Top 25 highlights critical software vulnerabilities like XSS, SQL Injection, and CSRF, reflecting shifts due to a refined ranking methodology.
Security News
In this segment of the Risky Business podcast, Feross Aboukhadijeh and Patrick Gray discuss the challenges of tracking malware discovered in open source softare.