Research
Security News
Malicious npm Packages Inject SSH Backdoors via Typosquatted Libraries
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
grunt-bower-verify
Advanced tools
Install and test all your dependencies versions.
This plugin requires Grunt ~0.4.0
If you haven't used Grunt before, be sure to check out the Getting Started guide, as it explains how to create a Gruntfile as well as install and use Grunt plugins. Once you're familiar with that process, you may install this plugin with this command:
npm install grunt-bower-verify --save-dev
Once the plugin has been installed, it may be enabled inside your Gruntfile with this line of JavaScript:
grunt.loadNpmTasks('grunt-bower-verify');
Run this task with the grunt bower-verify
command.
Type: Boolean
Default value: false
This will only install the latest patch version of the major/minor version.
This is a multitask so you can specify your own targets
"bower-verify": {
targetname: {
tasks: ['test'] //some task or tasks of your choice to be run after each bower install
}
},
You can find out if your bower.json config really is valid, by automatically installing all published version that matches the semver your described.
Say you have the following bower.json file
{
"name": "my-jquery-plugin",
"dependencies": {
"jquery": ">=1.6.0"
}
}
Running grunt bower-verify:test
will first fetch all versions available for jquery.
Then if the version satisfies the semver you have in your bower config it will try to install that version and then run the tasks that you have defined in your target. Typically this will be tests, a build process or similar.
This allows you to verify that your bower package actually supports all the versions that it claims that it supports. This could be handy to be run in a CI environment especially.
Say you claim that your support jquery >=1.6.0 like above. But if you run a normal bower install it will install the latest version probably.
Let's further assume you have started using the on function for events that got introduced in 1.7. Running bower-verify would easily allow you to discover that either you will have to change your supported version of jquery to >=1.7 or stop using the on function.
If you have multiple dependencies, say underscore >=1.3 and jquery >=1.6 then it will first install all versions of one of them and then all versions of all the other.
It might be added in the future to do all combinations of the two. However this might result in many many combinations.
Since bower uses a flat dependency tree it might occur that if you install let's say bootstrap 2.3.2, that requires jquery >=1.8.0 <2.1.0
But if your own bower.json contains >=1.6 it will still try to install 1.6.x and 1.7.x and >=2.1.0. bower-verify will then report that these versions was not installed due to the conflict with bootstrap.
This information could be used by you to update your main bower.json config accordingly.
FAQs
> Install and test all your dependencies versions.
We found that grunt-bower-verify demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
Security News
MITRE's 2024 CWE Top 25 highlights critical software vulnerabilities like XSS, SQL Injection, and CSRF, reflecting shifts due to a refined ranking methodology.
Security News
In this segment of the Risky Business podcast, Feross Aboukhadijeh and Patrick Gray discuss the challenges of tracking malware discovered in open source softare.