Research
Security News
Malicious npm Packages Inject SSH Backdoors via Typosquatted Libraries
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
🤖 GitLab API NodeJS library with full support of all the Gitlab API services.
# Install from npm
npm install gitlab
The API's that are currently supported are:
// General
ApplicationSettings
BroadcastMessages
Events
FeatureFlags
GeoNodes
GitignoreTemplates
GitLabCIYMLTemplates
Keys
Licence
LicenceTemplates
Lint
Namespaces
NotificationSettings
PagesDomains
Search
SidekiqMetrics
Snippets
SystemHooks
Version
Wikis
// Groups
Groups
GroupAccessRequests
GroupBadges
GroupCustomAttributes
GroupIssueBoards
GroupMembers
GroupMilestones
GroupProjects
GroupVariables
Epics
EpicIssues
EpicNotes
EpicDiscussions
// Projects
Branches
Commits
Deployments
DeployKeys
Environments
Issues
IssueNotes
IssueDiscussions
IssueAwardEmojis
Jobs
Labels
MergeRequests
MergeRequestAwardEmojis
MergeRequestNotes
Pipelines
PipelineSchedules
PipelineScheduleVariables
Projects
ProjectAccessRequests
ProjectBadges
ProjectCustomAttributes
ProjectImportExport
ProjectIssueBoards
ProjectHooks
ProjectMembers
ProjectMilestones
ProjectSnippets
ProjectSnippetNotes
ProjectSnippetDiscussions
ProjectSnippetAwardEmojis
ProtectedBranches
ProtectedTags
ProjectVariables
Repositories
RepositoryFiles
Runners
Services
Tags
Todos
Triggers
// Users
Users
UserEmails
UserImpersonationTokens
UserKeys
UserGPGKeys
URL to your GitLab instance should not include /api/v4
path.
Instantiate the library using a basic token created in your Gitlab Profile
// ES6 (>=node 8.0.0)
import Gitlab from 'gitlab';
// ES5, assuming Promise and Object.assign are available
const Gitlab = require('gitlab/dist/es5').default
// Instantiating
const api = new Gitlab({
url: 'http://example.com', // Defaults to https://gitlab.com
token: 'abcdefghij123456' // Can be created in your profile.
})
// Or, use a OAuth token instead!
const api = new Gitlab({
url: 'http://example.com', // Defaults to https://gitlab.com
oauthToken: 'abcdefghij123456'
})
// You can also use a CI job token:
const api = new Gitlab({
url: 'http://example.com', // Defaults to https://gitlab.com
jobToken: process.env.CI_JOB_TOKEN
})
Sometimes you don't want to import and instantiate the whole Gitlab API, perhaps you only want access to the Projects API. To do this, one only needs to import and instantiate this specific API:
import { Projects } from 'gitlab';
const service = new Projects({
url: 'http://example.com', // Defaults to https://gitlab.com
token: 'abcdefghij123456' // Can be created in your profile.
})
It can be annoying to have to import all the API's pertaining to a specific resource. For example, the Projects resource is composed of many API's, Projects, Issues, Labels, MergeRequests, etc. For convenience, there is a Bundle export for importing and instantiating all these related API's at once.
import { ProjectsBundle } from 'gitlab';
const services = new ProjectsBundle({
url: 'http://example.com', // Defaults to https://gitlab.com
token: 'abcdefghij123456' // Can be created in your profile.
})
services.Projects.all()
services.MergeRequests.all()
etc..
Currently there are three Bundles:
Branches
Commits
CommitDiscussions
Deployments
DeployKeys
Environments
Issues
IssueNotes
IssueDiscussions
IssueAwardEmojis
Jobs
Labels
MergeRequests
MergeRequestAwardEmojis
MergeRequestDiscussions
MergeRequestNotes
Pipelines
PipelineSchedules
PipelineScheduleVariables
Projects
ProjectAccessRequests
ProjectBadges
ProjectCustomAttributes
ProjectImportExport
ProjectIssueBoards
ProjectHooks
ProjectMembers
ProjectMilestones
ProjectSnippets
ProjectSnippetNotes
ProjectSnippetDiscussions
ProjectSnippetAwardEmojis
ProtectedBranches
ProtectedTags
ProjectVariables
Repositories
RepositoryFiles
Runners
Services
Tags
Todos
Triggers
Users,
UserCustomAttributes,
UserEmails,
UserImpersonationTokens,
UserKeys,
UserGPGKeys
Groups
GroupAccessRequests
GroupBadges
GroupCustomAttributes
GroupIssueBoards
GroupMembers
GroupMilestones
GroupProjects
GroupVariables
Epics
EpicIssues
EpicNotes
EpicDiscussions
If your Gitlab server is running via HTTPS, the proper way to pass in your certificates is via a NODE_EXTRA_CA_CERTS
environment key, like this:
"scripts": {
"start": "NODE_EXTRA_CA_CERTS=./secrets/3ShapeCA.pem node bot.js"
},
Although we don't encourage it, if you absolutely must allow insecure certificates, you can instantiate the API with rejectAuthorized
set to false
like this:
const api = new Gitlab({
url: '...',
token: '...',
rejectUnauthorized: false
})
NOTE: Using
process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0'
will not work with thegitlab
library. TherejectUnauthorized
key is the only way to allow insecure certificates to be bypassed.
This package uses the Request library by default, which is built into Node. However, if your code is running in a browser, you can get better built-in resolution of proxies and self-signed certificates by using the browser's XMLHttpRequest implementation instead:
import Gitlab from 'gitlab';
const api = new Gitlab({
url: 'http://example.com', // Defaults to https://gitlab.com
token: 'abcdefghij123456', // Can be created in your profile.
useXMLHttpRequest: true // Use the browser's XMLHttpRequest instead of Node's Request library
})
WARNING: Currently this option does not support the multipart/form-data
content type, and therefore the endpoint for uploading a file to a project will not work correctly. All other endpoints should work exactly as expected.
Once you have your library instantiated, you can utilize many of the API's functionality:
Using the await/async method
import Gitlab from 'gitlab';
const api = new Gitlab({
url: 'http://example.com', // Defaults to https://gitlab.com
token: 'abcdefghij123456' // Can be created in your profile.
});
// Listing users
let users = await api.Users.all();
// Or using Promise-Then notation
api.Projects.all()
.then((projects) => {
console.log(projects)
})
General rule about all the function parameters:
ie.
import Gitlab from 'gitlab';
const api = new Gitlab({
url: 'http://example.com', // Defaults to https://gitlab.com
token: 'abcdefghij123456' // Can be created in your profile.
});
api.Projects.create(projectId, {
//options defined in the Gitlab API documentation
})
For any .all() function on a resource, it will return all the items from Gitlab. This can be troublesome if there are many items, as the request it self can take a while to be fulfilled. As such, a maxPages option can be passed to limit the scope of the all function.
import Gitlab from 'gitlab';
const api = new Gitlab({
url: 'http://example.com', // Defaults to https://gitlab.com
token: 'abcdefghij123456' // Can be created in your profile.
});
let projects = await api.Projects.all({ maxPages:2 });
You can also use this in conjunction to the perPage argument which would override the default of 30 per page set by Gitlab:
import Gitlab from 'gitlab';
const api = new Gitlab({
url: 'http://example.com', // Defaults to https://gitlab.com
token: 'abcdefghij123456' // Can be created in your profile.
});
let projects = await api.Projects.all({ maxPages:2, perPage:40 });
Additionally, if you would like to get back the pagination information, to know how many total pages there are for example, pass the pagination option showPagination
in addition to either the
maxPages
or page
properties.
...
let { data, pagination } = await api.Projects.all({ perPage:40, maxPages:2, showPagination: true });
...
This will result in a response in this format:
data: [
...
],
pagination: {
total: 20,
next: 4,
current: 2,
previous: 1,
perPage: 3,
totalPages: 3,
}
For private gitlab instances, administrators are able to impersonate users through the API. To do so, you have to set the 'Sudo' header on the services you want to impersonate the user for.
For example, if you want to disable notifications for a specific user:
import Gitlab from 'gitlab';
const { NotificationSettings } = new Gitlab({
url: 'http://example.com', // Defaults to https://gitlab.com
token: 'abcdefghij123456' // Can be created in your profile.
sudo: 8 // Can be the user ID or a username
});
await NotificationSettings.edit({
level: NotificationSettings.LEVELS.DISABLED
})
With the success of this library thanks to the community, this has become the main npm package to interact with the Gitlab API. As such, there will be a little bit of growing pains for those upgrading from the original node-gitlab v1.8 to our newest 3.0.0 release, far too many to list here. I hope the library is written clearly enough to ease this transition, but if there is anything that you're having trouble with please feel free to create an issue! If not myself, someone will definitely have the answer to help get you all setup up as quickly as possible.
Although there are the official docs for the API, there are some extra goodies offered by this package! After the 3.0.0 release, the next large project will be putting together proper documentation for these goodies [#39]! Stay tuned!!
To get this running locally rather than from your node_modules
folder:
$ git clone https://github.com/jdalrymple/node-gitlab.git
$ cd node-gitlab
$ npm install
$ npm build
And then inside whatever project you are using node-gitlab
in you change your references to use that repo. In your package.json of that upstream project change:
"dependencies": {
...
"node-gitlab": "2.1.0"
...
}
to this
"dependencies": {
...
"node-gitlab": "<path-to-your-clone>"
...
}
Testing is a work-in-progress right now but here is the start.
docker-compose -f docker-compose.test.yml up
export PERSONAL_ACCESS_TOKEN=$(docker exec -it gitlab bash -lc 'printf "%q" "${PERSONAL_ACCESS_TOKEN}"')
export GITLAB_URL=$(docker exec -it gitlab bash -lc 'printf "%q" "${GITLAB_URL}"')
npm run test
# or, alternatively
npm run test-with-token # sets PERSONAL_ACCESS_TOKEN and GITLAB_URL from above, before running tests
You can also define them in front of the npm script
PERSONAL_ACCESS_TOKEN='abcdefg' GITLAB_URL='http://localhost:8080' npm run test
Note it may take about 3 minutes to get the variables while Gitlab is starting up in the container
This started off as a fork from node-gitlab but I ended up rewriting much of the code. Here are the original work's contributors.
FAQs
Full NodeJS implementation of the GitLab API. Supports Promises, Async/Await.
The npm package gitlab receives a total of 83,328 weekly downloads. As such, gitlab popularity was classified as popular.
We found that gitlab demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 3 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
Security News
MITRE's 2024 CWE Top 25 highlights critical software vulnerabilities like XSS, SQL Injection, and CSRF, reflecting shifts due to a refined ranking methodology.
Security News
In this segment of the Risky Business podcast, Feross Aboukhadijeh and Patrick Gray discuss the challenges of tracking malware discovered in open source softare.