Research
Security News
Malicious npm Packages Inject SSH Backdoors via Typosquatted Libraries
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
js-gardener
Advanced tools
Minimizes project setup and maintenance complexity, so you can focus on writing code.
Enforces highest code quality and minimizes package setup and maintenance complexity - so you can focus on writing code. Highly recommended if you are getting started with a new package and extremely useful if you are maintaining multiple packages.
git init
, git remote add origin URL
, git checkout -b master
npm init
and fill in details$ npm install --save-dev js-gardener
Create gardener.js
in the root folder with the following contents
const gardener = require('js-gardener');
if (require.main === module) {
gardener().catch(() => process.exit(1));
}
Now create a .roboconfig.json
file. Recommended for OpenSource npm packages is the following:
{
"@blackflux/robo-config-plugin": {
"tasks": [
"assorted/@npm-opensource"
],
"variables": {
"repoKey": "org-name/repo-name",
"packageName": "repo-name",
"projectName": "repo-name",
"owner": "owner-name",
"ownerName": "Owner Name",
"mergeBot": "mergebot-name"
}
}
}
Then run
$ node gardener
This will generate some files and alter your existing package.json file.
Create your files in the src
folder and corresponding tests in the test
folder (Mocha and Chai work great), and ensure everything works fine by running npm test
. Finalize your README.md and package.json and commit and push to GitHub.
To run all tests locally
$ npm t
and in debug mode with
$ npm t -- --debug
All Mocha options can be passed using double dash. E.g. to run individual tests
$ npm run test-simple -- -g "Partial Test Description Here"
To auto fix fixable eslint problems run
$ node gardener.js --fix
Folders - Write your tests in the test
and your code in the src
folder. The lib folder is used as the build target. Test files must be of format *.spec.js
.
Branches - You release branch is master
. Develop against dev
or feature branches. When you are ready for a release, merge your changes into master
.
Customize the nyc section in your package.json
To completely ignore files from coverage put them into the exclude
section in nyc.
Type: logger
Default: fancy-log
Attach custom logger.
Type: array
Default: []
Array of tasks to skip. Should not be necessary to use unless you really need to. Available tasks are:
robo
: Apply robo-config configuration file.package
: Alter package.jsonstructure
: Enforce that test file structure matches lib contentaudit
: Runs npm audit and throws errors for old or important issues.eslint
: Ensure code is according to eslint definitions.yamllint
: Ensure yaml files are passing lintdepcheck
: Ensure dependencies are installed as specified in package.jsondepused
: Ensure all installed dependencies are usedType: string
Default: process.cwd()
Specify the directory to run the tests against. Useful if you have multiple packages that you manage centralized from a parent folder.
Type: boolean
Default: false
Execution will fail if not inside docker container, when set to true
.
Define files which should be excluded for eslint. Always excluded files can be found here.
Define packages that should be excluded from usage check. Useful when a false negative is detected, e.g. for plugins where usage is defined in configuration. Always excluded packages can be found here.
Define test files that should not be checked for structure. Usually not necessary. Always excluded test files can be found here.
This project utilizes itself for testing - how cool is that? All other projects published under blackflux also utilize this framework.
Example project using js-gardener and lambda-tdd can be found here.
All blackflux npm packages also utilize Gardener.
FAQs
Minimizes project setup and maintenance complexity, so you can focus on writing code.
The npm package js-gardener receives a total of 1,219 weekly downloads. As such, js-gardener popularity was classified as popular.
We found that js-gardener demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
Security News
MITRE's 2024 CWE Top 25 highlights critical software vulnerabilities like XSS, SQL Injection, and CSRF, reflecting shifts due to a refined ranking methodology.
Security News
In this segment of the Risky Business podcast, Feross Aboukhadijeh and Patrick Gray discuss the challenges of tracking malware discovered in open source softare.