Research
Security News
Malicious npm Packages Inject SSH Backdoors via Typosquatted Libraries
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
npm-registry-couchapp
Advanced tools
The design doc for The npm Registry CouchApp
You need CouchDB version 1.4.0 or higher. 1.5.0 or higher is best.
Once you have CouchDB installed, create a new database:
curl -X PUT http://localhost:5984/registry
You'll need the following entries added in your local.ini
[couch_httpd_auth]
public_fields = appdotnet, avatar, avatarMedium, avatarLarge, date, email, fields, freenode, fullname, github, homepage, name, roles, twitter, type, _id, _rev
users_db_public = true
[httpd]
secure_rewrites = false
[couchdb]
delayed_commits = false
Clone the repository if you haven't already, and cd into it:
git clone git://github.com/npm/npm-registry-couchapp
cd npm-registry-couchapp
Now install the stuff:
npm install
Sync the ddoc to _design/scratch
npm start \
--npm-registry-couchapp:couch=http://admin:password@localhost:5984/registry
Next, make sure that views are loaded:
npm run load \
--npm-registry-couchapp:couch=http://admin:password@localhost:5984/registry
And finally, copy the ddoc from _design/scratch
to _design/app
npm run copy \
--npm-registry-couchapp:couch=http://admin:password@localhost:5984/registry
Of course, you can avoid the command-line flag by setting it in your ~/.npmrc file:
_npm-registry-couchapp:couch=http://admin:password@localhost:5984/registry
The _
prevents any other packages from seeing the setting (with a
password) in their environment when npm runs scripts for those other
packages.
To replicate the registry without attachments, you can point your CouchDB replicator at https://skimdb.npmjs.com/registry. Note that attachments for public packages will still be loaded from the public location, but anything you publish into your private registry will stay private.
To replicate the registry with attachments, consider using npm-fullfat-registry. The fullfatdb CouchDB instance is deprecated.
With the setup so far, you can point the npm client at the registry by putting this in your ~/.npmrc file:
registry = http://localhost:5984/registry/_design/app/_rewrite
You can also set the npm registry config property like:
npm config set \
registry=http://localhost:5984/registry/_design/app/_rewrite
Or you can simple override the registry config on each call:
npm \
--registry=http://localhost:5984/registry/_design/app/_rewrite \
install <package>
To be snazzier, add a vhost config:
[vhosts]
registry.mydomain.com:5984 = /registry/_design/app/_rewrite
Where registry.mydomain.com
is the hostname where you're running the
thing, and 5984
is the port that CouchDB is running on. If you're
running on port 80, then omit the port altogether.
Then for example you can reference the repository like so:
npm config set registry http://registry.mydomain.com:5984
FAQs
The CouchApp implementation of an npm registry
The npm package npm-registry-couchapp receives a total of 138 weekly downloads. As such, npm-registry-couchapp popularity was classified as not popular.
We found that npm-registry-couchapp demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 7 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
Security News
MITRE's 2024 CWE Top 25 highlights critical software vulnerabilities like XSS, SQL Injection, and CSRF, reflecting shifts due to a refined ranking methodology.
Security News
In this segment of the Risky Business podcast, Feross Aboukhadijeh and Patrick Gray discuss the challenges of tracking malware discovered in open source softare.