Security News
tea.xyz Spam Plagues npm and RubyGems Package Registries
Tea.xyz, a crypto project aimed at rewarding open source contributions, is once again facing backlash due to an influx of spam packages flooding public package registries.
npm-bundle
Advanced tools
Readme
Similar to npm pack
but includes packages in the dependencies section of
the package.json.
If you wish to include dependencies and use npm-pack
you must do the
following:
npm pack
npm install
before executing npm pack
npm install --legacy-bundling
when using npm v3.x
because deduped dependencies will not be included.npm install --legacy-bundling
is not available in npm v3
.x < v3.5There must be a better way...
npm install -g npm-bundle
You can use the same arguments and options as npm install
. There is an
additional --verbose option to help with debugging issues.
# The current directory containing a package.json
npm-bundle
# Verbose, useful for debugging errors
npm-bundle --verbose
# A tarball in the current directory
npm-bundle something-1.0.0.tgz
# A package from the registry
npm-bundle request
# A tarball url
npm-bundle https://github.com/indexzero/node-portfinder/archive/v0.4.0.tar.gz
# Specify a private registry
npm-bundle secretPackage --registry=http://private.something.com/npm
var npmBundle = require('npm-bundle')
var args = []
var options = {
verbose: true
}
npmBundle(args, options, function onNpmBundle (error, output) {
if (error) {
throw error
}
process.stdout.write(output.file)
})
The given callback receives an error parameter and an output object parameter.
The output object will have the following properties:
The install is happening in the .npmbundle
temporary directory, so only use
npm install options relevant for that directory.
The npm executable (required to be on your path) does the heavy lifting to ensure behavior is consistent with what you expect from npm.
Here is a simplified view of the workflow:
cd .npmbundle
npm install <package_name> --production --legacy-bundling
bundledDependencies
in .npmbundle/node_modules/<package_name>/package.json
cd startDir
npm pack .npmbundle/node_modules/<package_name>
npm pack
npm install
, ie. a tarball urlnpm install
, ie. --registry=http://somethingv3.0.3
v3.0.1
npm pack
v3.0.0
tar -tvf something.tgz
insteadv2.0.4
v2.0.3
v2.0.0
v1.1.1
FAQs
npm pack with dependencies included
The npm package npm-bundle receives a total of 8,238 weekly downloads. As such, npm-bundle popularity was classified as popular.
We found that npm-bundle demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 2 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Tea.xyz, a crypto project aimed at rewarding open source contributions, is once again facing backlash due to an influx of spam packages flooding public package registries.
Security News
As cyber threats become more autonomous, AI-powered defenses are crucial for businesses to stay ahead of attackers who can exploit software vulnerabilities at scale.
Security News
UnitedHealth Group disclosed that the ransomware attack on Change Healthcare compromised protected health information for millions in the U.S., with estimated costs to the company expected to reach $1 billion.