
Research
/Security News
jscrambler npm Package Compromised in Supply Chain Attack
A compromised jscrambler npm release added a malicious preinstall hook that runs hidden native binaries on Linux, macOS, and Windows.
A livereload cli tool that eats globs.
$ glob-lr 'www/**' '!www/vendor/**'
LiveReload listening on port 35729
LiveReload added 10 files
I guess you can use it in Node too if you want:
var globlr = require('glob-lr');
var lr = globlr(['www/**', '!www/vendor/**'], opts);
// Now lr.watcher is a chokidar instance, lr.server is a
// listening tiny-lr server, and lr.shutdown() will close everything.
The globs are passed as an array to chokidar. Make sure they are quoted when using the cli. Folders named "node_modules", ".git", ".svn", or ".hg" and files within are ignored by default. tiny-lr is the livereload server which serves the livereload snippet and notifies the client.
Install using npm globally: $ npm install -g glob-lr
Or in your project's package.json: $ npm install --save-dev glob-lr
Watch all files of any depth within www/ but not any within www/vendor/, wait 5 seconds before reloading on changes:
glob-lr 'www/**' '!www/vendor/**' --delay 5000
Watch files of any depth within directories named "www" at any depth from the current working directory but exclude directories named "vendor" at any depth:
glob-lr '**/www/**' '!**/vendor/**'
Watch javascript files within static/ except for files with names beginning with "foo" but do watch "foobaz". Also, ignore jonathan.
glob-lr 'static/*.js' '!static/foo!(baz).js' '!static/jonathan.js'
Watch only css, html, and js files within a client directory as part of a npm watch script:
{
"scripts": {
"watch": "run-p watch:*",
"watch:livereload": "glob-lr 'client/**/*.{css,js,html}'",
"watch:server": "nodemon server/"
},
"devDependencies": {
"npm-run-all": "^2.2.0",
"nodemon": "^1.9.2",
"glob-lr": "^0.1.0"
}
}
You'll either need the browser extension OR you can embed the snippet into your HTML.
Cli parameters are parsed with minimist and merged with the options object which is passed to chokidar and tiny-lr. For example --followSymlinks false will configure chokidar's followSymblinks option. Chokidar and tiny-lr have a number of their own options in addition to glob-lr's defaults:
port: (default 35729) (shorthand -p) The livereload port your livereload client script or browser extension tries to connect to
delay: (defualt 200) (shorthand -d) Milliseconds to debounce file changes before telling tiny-lr to notify the client
quiet: (default false) (shorthand -q) Suppress console output (unless you are debugging with DEBUG=glob-lr)
noDefaultGlobs: (default false) Files within directories named node_modules, .git, .svn, and .hg are ignored by default. Setting this will disable ignoring them
var lr = globlr(globs, opts)Globs is an array of glob strings or a single glob string which will be made an array. The default globs will be added to the end of this array and it will then be passed to chokidar.
lr.watcherThe instance of chokidar so you have access to its API directly.
lr.serverThe instance of tiny-lr so you have access to its API directly.
lr.shutdown([err])Will cancel any debounced notifications and call the close methods of the watcher and server to allow the process to end.
lr.fileCountInteger, the number of files being watched at the moment.
MIT
FAQs
A livereload cli tool that eats globs.
The npm package glob-lr receives a total of 8 weekly downloads. As such, glob-lr popularity was classified as not popular.
We found that glob-lr demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Research
/Security News
A compromised jscrambler npm release added a malicious preinstall hook that runs hidden native binaries on Linux, macOS, and Windows.

Research
/Security News
A malicious .NET package is typosquatting the Braintree SDK to steal live payment card data, merchant API keys, and host secrets from production apps.

Security News
/Research
Compromised Injective SDK npm version 1.20.21 exfiltrates wallet private keys and mnemonics through fake telemetry functionality.