Research
Security News
Quasar RAT Disguised as an npm Package for Detecting Vulnerabilities in Ethereum Smart Contracts
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
nph: Node Package Hub - Private npm package served from private GitHub repositories
Node Package Hub also known as nph. It's based around a really simple but effective idea. The private packages that I want to have access to are already in Github and tagged with semver ranges. So we already got everything we need.
If we combine this, we have everything we need to create a public/private npm proxy process in node and roll with that. This approach has a lot of benefits:
node
To install the proxy simply run the following command on your CLI.
npm install --save nph
The nph.configure
allows you to configure the whole proxy using one simple
definition file.
The nph.register
allows you to register a new npm account in your private npm
server. If you supply it with an optional github account, it will use the
privileges of the given GitHub account. The API accepts 3 arguments:
nph.register('V1', { github: '3rd-Eden', token: '' })
.register('swaagie', { github: 'swaagie', token: '' });
Add a new private repository which will be used as source for the private npm package. The API accepts 2 arguments:
nph.repository('unshiftio/unshift')
.repository('3rd-Eden/another-private');
Now that you know how the whole API works, we can easily setup a proxy by running the following example:
'use strict';
var nph = require('nph').createServer({
token: process.env.GITHUB_TOKEN
});
nph.register('V1')
.register('isz');
nph.repository('3rd-Eden/private')
.repository('unshiftio/transport-layer');
nph.listen(80, function listen(err) {
});
MIT
FAQs
nph: Node Package Hub - Private npm package served from private GitHub repositories
We found that nph demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
Security News
Research
A supply chain attack on Rspack's npm packages injected cryptomining malware, potentially impacting thousands of developers.
Research
Security News
Socket researchers discovered a malware campaign on npm delivering the Skuld infostealer via typosquatted packages, exposing sensitive data.