Research
Security News
Malicious npm Packages Inject SSH Backdoors via Typosquatted Libraries
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
hubot-heroku-keepalive
Advanced tools
A hubot script that keeps the hubot Heroku free web dyno alive.
Note that a free Heroku dyno can only run for 18 hours/day, so it will be required to sleep for at least 6 hours. Accessing your Hubot during a sleep period will wake it, but it will return to sleep after 30 minutes.
In hubot project repository, run:
npm install hubot-heroku-keepalive --save
Then add hubot-heroku-keepalive to your external-scripts.json
:
[
"hubot-heroku-keepalive"
]
hubot-heroku-keepalive is configured by four environment variables:
HUBOT_HEROKU_KEEPALIVE_URL
- required, the complete URL to keepalive, including a trailing slash.HUBOT_HEROKU_WAKEUP_TIME
- optional, the time of day (HH:MM) when hubot should wake up. Default: 6:00 (6 am)HUBOT_HEROKU_SLEEP_TIME
- optional, the time of day (HH:MM) when hubot should go to sleep. Default: 22:00 (10 pm)HUBOT_HEROKU_KEEPALIVE_INTERVAL
- the interval in which to keepalive, in minutes. Default: 5You must set HUBOT_HEROKU_KEEPALIVE_URL
and it must include a trailing slash – otherwise the script won't run.
You can find out the value for this by running heroku apps:info
. Copy the Web URL
and run:
heroku config:set HUBOT_HEROKU_KEEPALIVE_URL=PASTE_WEB_URL_HERE
If you want to trust a shell snippet from the Internet, here's a one-liner:
heroku config:set HUBOT_HEROKU_KEEPALIVE_URL=$(heroku apps:info -s | grep web.url | cut -d= -f2)
HUBOT_HEROKU_WAKEUP_TIME
and HUBOT_HEROKU_SLEEP_TIME
define the waking hours - between these times the keepalive will ping your Heroku app. Outside of those times, the ping will be suppressed, allowing the dyno to shut down. These times are based on the timezone of your Heroku application which defaults to UTC. You can change this with:
heroku config:add TZ="America/New_York"
This script will keep the dyno alive once it is awake, but something needs to wake it up. You can use the Heroku Scheduler to wake the dyno up. Add the scheduler addon by running:
heroku addons:create scheduler:standard
The scheduler must be manually configured from the web interface, so run heroku addons:open scheduler
and configure it to run curl ${HUBOT_HEROKU_KEEPALIVE_URL}heroku/keepalive
at the time configured for HUBOT_HEROKU_WAKEUP_TIME
.
Note that the Scheduler's time is in UTC. If you changed your application's timezone with TZ
, you'll need to convert that time to UTC for the wakup job. For example, if HUBOT_HEROKU_WAKEUP_TIME
is set to 06:00
and TZ
is set to America/New_York
, you'll need to set the Scheduler to run at 10:00 AM UTC.
Hubot has for a long time had it's own builtin way to keep its web dyno alive, but this is an extraction of that behavior.
The legacy support uses the HEROKU_URL
environment variable instead of
HUBOT_HEROKU_KEEPALIVE_URL
, so for forward compatability,
hubot-heroku-keepalive will also use HEROKU_URL if it's present, and will
also disable the legacy keepalive behavior if it's present.
The best way is to use npm link
and make sure to point HUBOT_HEROKU_KEEPALIVE_URL at the right place:
hubot-heroku-keepalive$ npm link
hubot-heroku-keepalive$ cd /path/to/your/hubot
hubot$ npm link hubot-heroku-keepalive
hubot$ export HUBOT_HEROKU_KEEPALIVE_URL=http://localhost:8080/
hubot$ bin/hubot
FAQs
A hubot script that keeps the hubot Heroko web dyno alive
The npm package hubot-heroku-keepalive receives a total of 23,449 weekly downloads. As such, hubot-heroku-keepalive popularity was classified as popular.
We found that hubot-heroku-keepalive demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 4 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
Security News
MITRE's 2024 CWE Top 25 highlights critical software vulnerabilities like XSS, SQL Injection, and CSRF, reflecting shifts due to a refined ranking methodology.
Security News
In this segment of the Risky Business podcast, Feross Aboukhadijeh and Patrick Gray discuss the challenges of tracking malware discovered in open source softare.