Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
example-lifi-types
Advanced tools
This is an example TypeScript Package ready to be published on npm. It has been set up with automated tests and package publishing workflow using GitHub Actions CI/CD. It is made primarily for GitHub + VS Code (Windows / Mac / Linux) users who are about to write and publish their first TypeScript npm package. This package could serve as a starter / boilerplate / demo for them.
It uses npm, TypeScript compiler, Jest, webpack, ESLint, Prettier, husky, pinst, commitlint. The production files include CommonJS, ES Modules, UMD version and TypeScript declaration files.
(Click the above button to use this example package as a template for your new GitHub repo, this will initialize a new repository and my commits will not be in your git history)
(If you do not use GitHub, you can download the archive of the example package)
You need to have Node.js installed. Node includes npm as its default package manager.
Open the whole package folder with a good code editor, preferably Visual Studio Code. Consider installing VS Code extensions ES Lint and Prettier.
In the VS Code top menu: Terminal -> New Terminal
Install dependencies with npm:
npm i
Make necessary changes in package.json (name, version, description, keywords, author, homepage and other URLs).
Write your code in src folder, and unit test in test folder, replacing the original files there.
The VS Code shortcuts for formatting of a code file are: Shift + Alt + F (Windows); Shift + Option (Alt) + F (MacOS); Ctrl + Shift + I (Linux).
Change code linting and formatting settings in .prettierrc.js if you want.
Test your code with Jest framework:
npm run test
Note: Example TypeScript Package uses husky, pinst and commitlint to automatically execute test and lint commit message before every commit.
Build production (distribution) files in your dist folder:
npm run build
It generates CommonJS (in dist/cjs folder), ES Modules (in dist/esm folder), bundled and minified UMD (in dist/umd folder), as well as TypeScript declaration files (in dist/types folder).
Run:
npm link
npm link will create a symlink in the global folder, which may be {prefix}/lib/node_modules/example-typescript-package or C:\Users<username>\AppData\Roaming\npm\node_modules\example-typescript-package.
Create an empty folder elsewhere, you don't even need to npm init
(to generate package.json). Open the folder with VS Code, open a terminal and just run:
npm link example-typescript-package
This will create a symbolic link from globally-installed example-typescript-package to node_modules/ of the current folder.
You can then create a, for example, testnum.ts file with the content:
import { Num } from 'example-typescript-package'
console.log(new Num(5).add(new Num(6)).val() === 11)
If you don't see any linting errors in VS Code, if you put your mouse cursor over Num
and see its type, then it's all good.
Whenever you want to uninstall the globally-installed example-typescript-package and remove the symlink in the global folder, run:
npm uninstall example-typescript-package -g
Create an npm account.
Log in:
npm adduser
And publish:
npm publish
This package is configured to use GitHub Actions CI/CD to automate both the npm and GitHub Packages publishing process. The following are what you have to do.
Follow npm's official instruction to create an npm token. Choose "Publish" from the website, or use npm token create
without argument with the CLI.
If you use 2FA, then make sure it's enabled for authorization only instead of authorization and publishing (Edit Profile -> Modify 2FA).
On the page of your newly created or existing GitHub repo, click Settings -> Secrets -> New repository secret, the Name should be NPM_TOKEN
and the Value should be your npm token.
The default configuration of this example package assumes you publish package with an unscoped name to npm. GitHub Packages must be named with a scope name such as "@tomchen/example-typescript-package".
Change scope: '@tomchen'
to your own scope in .github/workflows/test.yml, also change addscope
in package.json.
If you publish package with a scoped name to npm, change the name to something like "@tomchen/example-typescript-package" in package.json, and remove the - run: npm run addscope
line in .github/workflows/test.yml
If you publish your package to npm only, and don't want to publish to GitHub Packages, then delete the lines from - name: Setup .npmrc file to publish to GitHub Packages
to the end of the file in .github/workflows/test.yml.
(You might have noticed secret.GITHUB_TOKEN
in .github/workflows/test.yml. You don't need to set up a secret named GITHUB_TOKEN
actually, it is automatically created)
Now everything is set. The example package has automated tests and upload (publishing) already set up with GitHub Actions:
git push
or a pull request is submitted on your master
or main
branch, the package is automatically tested against the desired OS and Node.js versions with GitHub Actions.npm version
/ yarn version
is useful to create tags."postversion": "git push --follow-tags"
to package.json file to push it automatically after npm
or yarn
version
.yarn version
doesn't check whether there are uncommitted changes, you can add "preversion": "git diff-index --quiet HEAD --"
to package.json
preversion
, postversion
doesn't work in yarn v2For npm registry: you can unpublish a version or the whole package but can never re-publish the same version under the same name.
If you want to modify the description / README on the npm package page, you have to publish a new version. You can modify the description on GitHub Packages without publishing.
scripts
in the file package.json)
scripts
in package.json for other predefined script commandsBtw, if you want to publish Python package, go to Example PyPI (Python Package Index) Package & Tutorial / Instruction / Workflow for 2021.
FAQs
Types for lifi projects
We found that example-lifi-types demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.