![Namecheap Takes Down Polyfill.io Service Following Supply Chain Attack](https://cdn.sanity.io/images/cgdhsj6q/production/6af25114feaaac7179b18127c83327568ff592d1-1024x1024.webp?w=800&fit=max&auto=format)
Security News
Namecheap Takes Down Polyfill.io Service Following Supply Chain Attack
Polyfill.io has been serving malware for months via its CDN, after the project's open source maintainer sold the service to a company based in China.
npm-package-arg
Advanced tools
Readme
Parse package name and specifier passed to commands like npm install
or
npm cache add
. This just parses the text given-- it's worth noting that
npm
has further logic it applies by looking at your disk to figure out
what ambiguous specifiers are. If you want that logic, please see
realize-package-specifier.
Arguments look like: foo@1.2
, @bar/foo@1.2
, foo@user/foo
, http://x.com/foo.tgz
,
git+https://github.com/user/foo
, bitbucket:user/foo
, foo.tar.gz
or bar
var assert = require("assert")
var npa = require("npm-package-arg")
// Pass in the descriptor, and it'll return an object
var parsed = npa("@bar/foo@1.2")
// Returns an object like:
{
raw: '@bar/foo@1.2', // what was passed in
name: "@bar/foo", // the name of the package
scope: "@bar", // the private scope of the package, or null
type: "range", // the type of specifier this is
spec: ">=1.2.0 <1.3.0" // the expanded specifier
rawSpec: "1.2" // the specifier as passed in
}
// Parsing urls pointing at hosted git services produces a variation:
var parsed = npa("git+https://github.com/user/foo")
// Returns an object like:
{
raw: 'git+https://github.com/user/foo',
scope: null,
name: null,
rawSpec: 'git+https://github.com/user/foo',
spec: 'user/foo',
type: 'hosted',
hosted: {
type: 'github',
ssh: 'git@github.com:user/foo.git',
sshurl: 'git+ssh://git@github.com/user/foo.git',
https: 'https://github.com/user/foo.git',
directUrl: 'https://raw.githubusercontent.com/user/foo/master/package.json'
}
}
// Completely unreasonable invalid garbage throws an error
// Make sure you wrap this in a try/catch if you have not
// already sanitized the inputs!
assert.throws(function() {
npa("this is not \0 a valid package name or url")
})
var npa = require('npm-package-arg')
Parses arg and returns a result object detailing what arg is.
arg -- a package descriptor, like: foo@1.2
, or foo@user/foo
, or
http://x.com/foo.tgz
, or git+https://github.com/user/foo
The objects that are returned by npm-package-arg contain the following keys:
name
- If known, the name
field expected in the resulting pkg.type
- One of the following strings:
git
- A git repohosted
- A hosted project, from github, bitbucket or gitlab. Originally
either a full url pointing at one of these services or a shorthand like
user/project
or github:user/project
for github or bitbucket:user/project
for bitbucket.tag
- A tagged version, like "foo@latest"
version
- A specific version number, like "foo@1.2.3"
range
- A version range, like "foo@2.x"
local
- A local file or folder pathremote
- An http url (presumably to a tgz)spec
- The "thing". URL, the range, git repo, etc.hosted
- If type=hosted this will be an object with the following keys:
type
- github, bitbucket or gitlabssh
- The ssh path for this git reposshUrl
- The ssh URL for this git repohttpsUrl
- The HTTPS URL for this git repodirectUrl
- The URL for the package.json in this git reporaw
- The original un-modified string that was provided.rawSpec
- The part after the name@...
, as it was originally
provided.scope
- If a name is something like @org/module
then the scope
field will be set to org
. If it doesn't have a scoped name, then
scope is null
.If you only include a name and no specifier part, eg, foo
or foo@
then
a default of latest
will be used (as of 4.1.0). This is contrast with
previous behavior where *
was used.
FAQs
Parse the things that can be arguments to `npm install`
The npm package npm-package-arg receives a total of 11,595,713 weekly downloads. As such, npm-package-arg popularity was classified as popular.
We found that npm-package-arg demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 5 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Polyfill.io has been serving malware for months via its CDN, after the project's open source maintainer sold the service to a company based in China.
Security News
OpenSSF is warning open source maintainers to stay vigilant against reputation farming on GitHub, where users artificially inflate their status by manipulating interactions on closed issues and PRs.
Security News
A JavaScript library maintainer is under fire after merging a controversial PR to support legacy versions of Node.js.