Research
Security News
Malicious npm Package Targets Solana Developers and Hijacks Funds
A malicious npm package targets Solana developers, rerouting funds in 2% of transactions to a hardcoded address.
Gestalt is Pinterest’s design system. Our system includes a React component library with comprehensive guidelines, best practices, tools, and resources to support designers and engineers delivering a high-quality product.
Visit the official Gestalt Documentation
The package can be installed via npm:
npm i gestalt --save
npm i gestalt-charts --save
npm i gestalt-datepicker --save
Or via yarn:
yarn add gestalt
yarn add gestalt-charts
yarn add gestalt-datepicker
Gestalt exports each component as ES6 modules and a single, precompiled CSS file:
import { Text } from 'gestalt';
import 'gestalt/dist/gestalt.css';
import 'gestalt/dist/gestalt-datepicker.css';
That syntax is Webpack specific (and will work with Create React App), but you can use Gestalt anywhere that supports ES6 module bundling and global CSS.
Gestalt is a multi-project monorepo. The docs and components are all organized as separate packages that share similar tooling.
Install project dependencies and run tests:
yarn
yarn test
Build and watch Gestalt & run the docs server:
yarn start
Visit http://localhost:8888/ and click on a component to view the docs.
When a release will cause breaking changes — in usage or in typing — we provide a codemod to ease the upgrade process. Codemods are organized by release in /packages/gestalt-codemods
.
Clone the Gestalt repo locally if you haven't already. Run the relevant codemod(s) in the relevant directory of your repo (not the Gestalt repo): anywhere the component to be updated is used. Example usage for a codebase using TypeScript:
yarn codemod --parser=tsx -t={relative/path/to/codemod} relative/path/to/your/code.tsx
For a dry run to see what the changes will be, add the -d
(dry run) and -p
(print output) flags (pipe stdout to a file for easier inspection if you like).
Every commit to master performs a release. As a reviewer, ensure the correct label is attached to every PR. Please follow semantic versioning.
patch release
: documentation updates / spelling mistakes in code / internal scriptsminor release
: add component / add component props / API change with codemodmajor release
: backwards incompatible API change without codemodExample PR title: Avatar: Add outline prop
Gestalt officiallty supports and maintains Typescript declarations files.
Gestalt is Pinterest's open-sourced design system. However, Gestalt's web component library is almost exclusively developed by a 5 engineer team within Pinterest, and our primary customers are Pinterest engineers who use Gestalt. The team’s priority is the needs of our internal Pinterest customers.
We do not have resources to work on features or issues requested only by external developers. We also handle a very large amount of internal support requests, so we do not have the resources to respond to external Github issues.
Pinterest is staying open source, as it's a great resource for the design and engineering community, but we don't provide support to external developers. If you need to get in touch, send us an email.
Take a look at our FAQ section if you run into any development problems.
FAQs
A set of React UI components which enforce Pinterest's design language
We found that gestalt demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 0 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
A malicious npm package targets Solana developers, rerouting funds in 2% of transactions to a hardcoded address.
Security News
Research
Socket researchers have discovered malicious npm packages targeting crypto developers, stealing credentials and wallet data using spyware delivered through typosquats of popular cryptographic libraries.
Security News
Socket's package search now displays weekly downloads for npm packages, helping developers quickly assess popularity and make more informed decisions.