Security News
Another Round of TEA Protocol Spam Floods npm, But It’s Not a Worm
Recent coverage mislabels the latest TEA protocol spam as a worm. Here’s what’s actually happening.
By Philipp Burckhardt - Nov 14, 2025
gosub
Run pkg.scripts subtasks in a runner-agnostic way (npm/yarn, whichever launched the main script)
gosub
You want to use pkg.scripts subtasks, but you don't want to commit to either npm run or yarn run? Look no further.
Given the following package.json
{
"name": "my-package",
"version": "1.0.0",
"license": "MIT",
"scripts": {
"task": "gosub subtask && gosub print done",
"subtask": "echo ====>> unix: $npm_config_user_agent win: %npm_config_user_agent% <<====",
"print":"echo"
},
"devDependencies": {
"gosub": "1.0.0"
}
}
After running npm install or yarn you get the following:
~/tmp ❯❯❯ yarn run --silent task
$ echo "====>> $npm_config_user_agent <<===="
====>> yarn/1.3.2 npm/? node/v8.9.1 darwin x64 <<====
$ echo done
done
and
~/tmp ❯❯❯ npm run --silent task
====>> npm/5.5.1 node/v8.9.1 darwin x64 <<====
done
In other words, if the main task is launched with npm run the sub tasks will be as well. If you launched it with yarn run, so will the subtasks (look between the ===>> arrows <<==== ).
This makes your pkg.scripts runner agnostic.
What about other commands beyond run?
You can use gosub --raw action. So gosub --raw install will run npm install (re. bun, yarn, etc...).
Why not use $_ run subtask?
It doesn't work on Windows (although it will save you tens if not hundreds of milliseconds on *nix). If it turns out there's a native, cross-platform method to achieve what gosub does please chime in in the issues.
Caveat
The script works for my own use, but I'm not used to writing command line utilities and may have botched up some details that matter for your use case. For example, this has only been tested on MacOS, althought AFAICT there's nothing OS specific in the script. Feel free to open an issue if you have problems and/or suggestions.
Is gosub a BASIC thing?
*Waves at all of you who learned to code on 8/16 bits computers*.
History
v2.0.0
- Add a
--rawoption to launch other commandsgosub --raw installwill launchnpm install(orbun,yarndepending on what you're using) .
v1.1.0
- Use
child_process.spawninstead of.execto prevent the parent from exiting early. - Have the child inherit the
stdiostreams rather than piping them manually. - Also pipe
stdinto the children processes.
v1.0.0
initial release
License?
Romantic WTF!
FAQs
Run pkg.scripts subtasks in a runner-agnostic way (npm/yarn, whichever launched the main script)
The npm package gosub receives a total of 10 weekly downloads. As such, gosub popularity was classified as not popular.
We found that gosub demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Package last updated on 25 Dec 2023
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Related posts
Security News
PyPI Expands Trusted Publishing to GitLab Self-Managed as Adoption Passes 25 Percent
PyPI adds Trusted Publishing support for GitLab Self-Managed as adoption reaches 25% of uploads
By Sarah Gooding - Nov 14, 2025
Research
/Security News
Malicious Chrome Extension Exfiltrates Seed Phrases, Enabling Wallet Takeover
A malicious Chrome extension posing as an Ethereum wallet steals seed phrases by encoding them into Sui transactions, enabling full wallet takeover.
By Kirill Boychenko - Nov 12, 2025