Research
Security News
Malicious npm Packages Inject SSH Backdoors via Typosquatted Libraries
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
fbp-manifest
Advanced tools
This repository provides a schema for Flow-Based Programming manifest (fbp.json
) files, as well as tools for populating and validating them. The purpose of FBP manifest files is to provide a platform-agnostic registry of flow-based components available in a project.
Manifest files can be used by the FBP runtimes themselves for component loading, and is also useful for development tools like Flowhub or DrawFBP.
Used in production with NoFlo, both for Node.js and for producing browser builds.
fbp-manifest-list
: Discover available components and list themfbp-manifest-deps
: Produce a manifest consisting only of dependencies of a given componentfbp-manifest-stats
: Show component reuse statistics for a projectfbp-manifest-validate
: Validate a FBP manifest file against the schemaFBP Manifest has been designed to have a plugin architecture where the developers of different flow-based runtimes can add support for their system. See src/runtimes for how to do this. Runtimes can of course also just implement fbp.json
generation and consumption on their own, and merely utilize the JSON schemas from this project to validate their structure.
Currently supported FBP runtimes are:
FBP manifests consist of the following information:
version
: version of the manifest specification, currently 1
modules
: array of module definitionsmain
: (optional) main component definition for running the projectThe modules are objects with the following:
name
: name of the moduleruntime
: runtime the module is for, for example noflo-nodejs
base
: base directory path of the module, relative to project rootcomponents
: array of components contained in the moduledescription
: (optional) human-readable description for the moduleicon
: (optional) default icon for components of the module, following Font Awesome naming conventionsModules supporting multiple runtimes can appear multiple times in a manifest, once per each supported runtime. For example a NoFlo module that has some common components, and specific components for Node.js and browsers may have three entries with specific runtimes: noflo
, noflo-nodejs
, and noflo-browser
. A manifest can contain modules for an arbitrary number of different runtimes.
Components are objects with the following:
name
: name of the componentpath
: path used for executing the component. For example a Node.js require path or Java class pathexec
: command used for starting an instance of the component for components that are standalone processeselementary
: boolean on whether the component is elementary (code) or not (graph)source
: (optional) path to the source code of the component, in case it differs from the component pathtests
: (optional) path to the test suite of the component, typically pointing to a fbp-spec fileinports
: (optional) array of inport definitions for the componentoutports
: (optional) array of outport definitions for the componentEach component needs to provide at minimum the information the runtime needs to run it. Additionally it can provide metadata usable for flow-based programming tools like a ports listing. Either path
or exec
needs to be provided.
The full manifest structure can be found in the schema. Manifest files can be validated against the JSON schema or with the fbp-manifest-validate
tool.
It is possible to extend the manifest files with custom runtime-specific information. To do this, place the custom values under a key named after the runtime they're for. So, for example NoFlo's custom information about a component would go under a noflo
key:
{
"name": "Merge",
"path": "components/Merge.js",
"source": "components/Merge.coffee",
"elementary": true,
"noflo": {
"async": false
}
}
tests
for each moduleFAQs
Flow-Based Programming Manifest tools
The npm package fbp-manifest receives a total of 285 weekly downloads. As such, fbp-manifest popularity was classified as not popular.
We found that fbp-manifest demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
Security News
MITRE's 2024 CWE Top 25 highlights critical software vulnerabilities like XSS, SQL Injection, and CSRF, reflecting shifts due to a refined ranking methodology.
Security News
In this segment of the Risky Business podcast, Feross Aboukhadijeh and Patrick Gray discuss the challenges of tracking malware discovered in open source softare.