Research
Security News
Threat Actor Exposes Playbook for Exploiting npm to Build Blockchain-Powered Botnets
A threat actor's playbook for exploiting the npm ecosystem was exposed on the dark web, detailing how to build a blockchain-powered botnet.
npm-package-arg
Advanced tools
The npm-package-arg package is a utility for parsing package names and specifiers in the npm ecosystem. It helps in understanding and manipulating package references, whether they are simple names, version ranges, GitHub URLs, or local paths.
Parsing Package Names
This feature allows you to parse a simple package name. The output will be an object containing details about the package, such as its name, type, and registry.
const npa = require('npm-package-arg');
const parsed = npa('express');
console.log(parsed);
Parsing Version Ranges
This feature allows you to parse a package name with a version range. The output will include the specified version range and other details.
const npa = require('npm-package-arg');
const parsed = npa('express@^4.0.0');
console.log(parsed);
Parsing GitHub URLs
This feature allows you to parse a GitHub URL. The output will include details about the repository, such as the user and repo names.
const npa = require('npm-package-arg');
const parsed = npa('github:user/repo');
console.log(parsed);
Parsing Local Paths
This feature allows you to parse a local file path. The output will include details about the local path and the type of reference.
const npa = require('npm-package-arg');
const parsed = npa('file:./local-package');
console.log(parsed);
The validate-npm-package-name package is used to validate whether a string is a valid npm package name. Unlike npm-package-arg, it focuses solely on validation and does not parse version ranges, URLs, or paths.
The semver package is used for parsing, validating, and comparing semantic versioning strings. While npm-package-arg can parse version ranges as part of a package specifier, semver provides more comprehensive tools for working with version numbers.
The npm-registry-fetch package is used to make requests to the npm registry. It can fetch package metadata and tarballs. While npm-package-arg helps in parsing package specifiers, npm-registry-fetch is focused on interacting with the npm registry.
Parses package name and specifier passed to commands like npm install
or
npm cache add
, or as found in package.json
dependency sections.
var assert = require("assert")
var npa = require("npm-package-arg")
// Pass in the descriptor, and it'll return an object
try {
var parsed = npa("@bar/foo@1.2")
} catch (ex) {
…
}
var npa = require('npm-package-arg')
npm install
, like:
foo@1.2
, @bar/foo@1.2
, foo@user/foo
, http://x.com/foo.tgz
,
git+https://github.com/user/foo
, bitbucket:user/foo
, foo.tar.gz
,
../foo/bar/
or bar
. If the arg you provide doesn't have a specifier
part, eg foo
then the specifier will default to latest
.process.cwd()
Throws if the package name is invalid, a dist-tag is invalid or a URL's protocol is not supported.
foo
or @bar/foo
.1.2
, ^1.7.17
, http://x.com/foo.tgz
, git+https://github.com/user/foo
,
bitbucket:user/foo
, file:foo.tar.gz
or file:../foo/bar/
. If not
included then the default is latest
.process.cwd()
Throws if the package name is invalid, a dist-tag is invalid or a URL's protocol is not supported.
The objects that are returned by npm-package-arg contain the following keys:
type
- One of the following strings:
git
- A git repotag
- A tagged version, like "foo@latest"
version
- A specific version number, like "foo@1.2.3"
range
- A version range, like "foo@2.x"
file
- A local .tar.gz
, .tar
or .tgz
file.directory
- A local directory.remote
- An http url (presumably to a tgz)registry
- If true this specifier refers to a resource hosted on a
registry. This is true for tag
, version
and range
types.name
- If known, the name
field expected in the resulting pkg.scope
- If a name is something like @org/module
then the scope
field will be set to @org
. If it doesn't have a scoped name, then
scope is null
.escapedName
- A version of name
escaped to match the npm scoped packages
specification. Mostly used when making requests against a registry. When
name
is null
, escapedName
will also be null
.rawSpec
- The specifier part that was parsed out in calls to npa(arg)
,
or the value of spec
in calls to `npa.resolve(name, spec).saveSpec
- The normalized specifier, for saving to package.json files.
null
for registry dependencies.fetchSpec
- The version of the specifier to be used to fetch this
resource. null
for shortcuts to hosted git dependencies as there isn't
just one URL to try with them.gitRange
- If set, this is a semver specifier to match against git tags withgitCommittish
- If set, this is the specific committish to use with a git dependency.hosted
- If from === 'hosted'
then this will be a hosted-git-info
object. This property is not included when serializing the object as
JSON.raw
- The original un-modified string that was provided. If called as
npa.resolve(name, spec)
then this will be name + '@' + spec
.FAQs
Parse the things that can be arguments to `npm install`
The npm package npm-package-arg receives a total of 13,193,786 weekly downloads. As such, npm-package-arg popularity was classified as popular.
We found that npm-package-arg demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 6 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
A threat actor's playbook for exploiting the npm ecosystem was exposed on the dark web, detailing how to build a blockchain-powered botnet.
Security News
NVD’s backlog surpasses 20,000 CVEs as analysis slows and NIST announces new system updates to address ongoing delays.
Security News
Research
A malicious npm package disguised as a WhatsApp client is exploiting authentication flows with a remote kill switch to exfiltrate data and destroy files.