Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Simple git hooks
npm install ghooks --save-dev
It is not advised to install ghooks
as a production dependency, as it will install git hooks in your production environment as well. Please install it under the devDependencies
section of your package.json
.
Please also note, that it is absolutely not advised to install ghooks
globally. To work as expected, make it a development dependency of your project(s).
Add a config.ghooks
entry in your package.json
and simply specify which git hooks you want and their corresponding commands, like the following:
{
…
"config": {
"ghooks": {
"pre-commit": "gulp lint",
"commit-msg": "validate-commit-msg",
"pre-push": "make test",
"post-merge": "npm install",
"post-rewrite": "npm install",
…
}
}
…
}
Note: The hooks' working directory is relative to the git root (where you have your .git
directory). This means that if your package.json is in a subdirectory of your git repo, you'll need to cd into the directory before running any npm scripts. E.g.:
"pre-commit": "cd path/to/folder && npm run test"
One of the last things you want is to raise the barrier to contributing to your open source project. So Andreas Windt developed the opt-cli package to allow you to turn your hooks into opt-in/out scripts. See this project's package.json
for an example of how to do that.
This module is heavily inspired by @nlf's precommit-hook
Huge thanks to everyone listed here!
This software is licensed under the MIT license
FAQs
Simple git hooks
We found that ghooks demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 2 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.