Research
Security News
Malicious npm Packages Inject SSH Backdoors via Typosquatted Libraries
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
eslint-plugin-springload
Advanced tools
Springload's ESLint shareable configurations as a plugin
Springload's ESLint shareable configurations, as a plugin.
We want shareable configs to have as low of an overhead as possible. Users shouldn't have to know exactly what plugins are required by the config, install them and manage their versions manually. This plugin exposes eslint-config-springload
for reuse, with plugins automatically installed.
See https://github.com/eslint/eslint/issues/3458 for further discussion on this topic. Approach inspired by
eslint-plugin-react-app
.
Install the config and its dependencies:
npm install --save-dev eslint@3 eslint-plugin-springload
Configure ESLint to use this config. For example, in your package.json, this would be:
"eslintConfig": {
"extends": "plugin:springload/recommended"
},
Optionally, use the Prettier config:
npm install --save-dev eslint@3 eslint-plugin-springload prettier
"eslintConfig": {
"extends": "plugin:springload/prettier"
},
Then, to configure Prettier itself, create a prettier.config.js
file in the root of your project with:
// Use the Prettier config that comes with eslint-plugin-springload.
module.exports = require('eslint-plugin-springload/prettier.config');
For Springload projects, linting commands are defined in the package.json as npm scripts. Here are example commands leveraging the ESLint and Prettier configuration, to process code in a lib
subfolder:
"scripts": {
"linter:js": "eslint",
"formatter:js": "prettier --write",
"lint": "npm run linter:js -s -- lib",
"format": "npm run formatter:js -s -- lib/**/*.js",
}
Those commands can then be ran manually.
The above commands are meant to be usable on arbitrary lists of files. Here is an example pre-commit
script that leverages them to re-format and lint JS when committing:
# Only keep staged files that are added (A), copied (C) or modified (M).
STAGED=$(git --no-pager diff --name-only --cached --diff-filter=ACM)
# Files which are only partly staged (eg. git add --patch).
PATCH_STAGED=$(git --no-pager diff --name-only --diff-filter=ACM $STAGED)
# Files which are fully staged.
FULLY_STAGED=$(comm -23 <(echo "$STAGED") <(echo "$PATCH_STAGED"))
JS_STAGED=$(grep .js$ <<< "$STAGED" || true)
JS_FULLY_STAGED=$(grep .js$ <<< "$FULLY_STAGED" || true)
SNAPSHOT_STAGED=$(grep .snap$ <<< "$STAGED" || true)
if [ -n "$JS_FULLY_STAGED" ];
then
# Format and re-stage fully staged files only.
npm run formatter:js -s -- $JS_FULLY_STAGED
git add $JS_FULLY_STAGED
fi
if [ -n "$JS_STAGED" ];
then
npm run linter:js -s -- $JS_STAGED
fi
This is a drop-in configuration for Springload projects. Should further customisation be required, rules coming from external plugins require the springload
prefix:
{
"extends": "plugin:springload/recommended"
"rules": {
- "react/react-in-jsx-scope": ["warn"],
+ "springload/react/react-in-jsx-scope": ["warn"],
- "import/prefer-default-export": ["warn"],
+ "springload/import/prefer-default-export": ["warn"],
}
}
git clone git@github.com:springload/eslint-plugin-springload.git
cd eslint-plugin-springload
nvm install
# Then, install all project dependencies.
npm install
# Install the git hooks.
./.githooks/deploy
# Runs linting.
npm run lint
# Runs tests.
npm run test
This project follows Semantic Versioning as well as ESLint's Semantic Versioning Policy.
# 1. Make a new branch for the release of the new version.
git chore release-vx.y.z
# 2. Update the version in package.json
# 3. Use irish-pub to check the package content. Install with `npm install -g` first.
irish-pub
# 4. Update the [CHANGELOG](CHANGELOG.md) for the upcoming release.
# 5. Create a PR and merge it.
# 6. On master,
npm publish
# 7. Finally, go to GitHub and create a release and a tag for the new version.
FAQs
Springload's ESLint shareable configurations as a plugin
The npm package eslint-plugin-springload receives a total of 4 weekly downloads. As such, eslint-plugin-springload popularity was classified as not popular.
We found that eslint-plugin-springload demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 6 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
Security News
MITRE's 2024 CWE Top 25 highlights critical software vulnerabilities like XSS, SQL Injection, and CSRF, reflecting shifts due to a refined ranking methodology.
Security News
In this segment of the Risky Business podcast, Feross Aboukhadijeh and Patrick Gray discuss the challenges of tracking malware discovered in open source softare.