![Kill Switch Hidden in npm Packages Typosquatting Chalk and Chokidar](https://cdn.sanity.io/images/cgdhsj6q/production/6199b2d12ffc9c39c6ca08c94d7b3217946ad92a-1024x1024.webp?w=400&fit=max&auto=format)
Research
Security News
Kill Switch Hidden in npm Packages Typosquatting Chalk and Chokidar
Socket researchers found several malicious npm packages typosquatting Chalk and Chokidar, targeting Node.js developers with kill switches and data theft.
Various utilities for JSON References (http://tools.ietf.org/html/draft-pbryan-zyp-json-ref-03).
The json-refs npm package is a utility for working with JSON references, which are pointers within JSON objects that reference other parts of the JSON document. It helps resolve these references and can be used to make JSON documents easier to understand and manipulate by consolidating linked data.
Resolving JSON References
This feature allows the resolution of JSON references within a JSON document. The code sample demonstrates how to resolve references in a JSON file located at a specified path, with an option to resolve circular references.
{
"jsonRefs": require('json-refs'),
"path": './somePath/to/json',
"options": { resolveCirculars: true },
"resolvedJson": function() {
var root = jsonRefs.resolveRefsAt(this.path, this.options).then(function (results) {
console.log(results.resolved);
}).catch(function (err) {
console.error(err.stack);
});
return root;
}
}
Finding JSON References
This feature involves identifying all the JSON references in a given JSON object. The code sample shows how to find all references, including those that might be invalid, within a JSON object.
{
"jsonRefs": require('json-refs'),
"jsonObject": { /* some JSON object */ },
"options": { includeInvalid: true },
"foundRefs": function() {
var refs = jsonRefs.findRefs(this.jsonObject, this.options);
console.log(refs);
return refs;
}
}
Swagger Parser is a package that can parse, validate, and dereference Swagger and OpenAPI documents. Similar to json-refs, it handles resolving references but is specifically tailored for Swagger and OpenAPI specs, providing more specialized functionality in these contexts compared to the more general-purpose json-refs.
This package dereferences JSON Schema $refs pointers. Like json-refs, it resolves references within JSON documents but focuses specifically on JSON Schema, making it ideal for scenarios involving JSON Schema validation and manipulation.
json-refs is a simple library for interacting with JSON References and
JSON Pointers. While the main purpose of this library is to provide JSON References features,
since JSON References are a combination of Object
structure and a JSON Pointer
, this library also provides some
features for JSON Pointers as well.
The documentation for this project can be found at https://github.com/whitlockjc/json-refs/blob/master/docs/README.md. Specific documentation can be found here:
json-refs is available for both Node.js and the browser. Installation instructions for each environment are below.
json-refs binaries for the browser are available in the dist/
directory:
Of course, these links are for the master builds so feel free to download from the release of your choice. Once you've gotten them downloaded, to use the standalone binaries, your HTML include might look like this:
<!-- ... -->
<script src="json-refs.js"></script>
<!-- ... -->
Installation for Node.js applications can be done via NPM.
npm install json-refs --save
If you plan on using the json-refs
CLI executable, you can install json-refs globally like this:
npm install json-refs --global
After this, feel free to run json-refs help
to see what you can do or view the CLI documentation linked above
FAQs
Various utilities for JSON References (http://tools.ietf.org/html/draft-pbryan-zyp-json-ref-03).
We found that json-refs demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket researchers found several malicious npm packages typosquatting Chalk and Chokidar, targeting Node.js developers with kill switches and data theft.
Security News
pnpm 10 blocks lifecycle scripts by default to improve security, addressing supply chain attack risks but sparking debate over compatibility and workflow changes.
Product
Socket now supports uv.lock files to ensure consistent, secure dependency resolution for Python projects and enhance supply chain security.