Research
Security News
Quasar RAT Disguised as an npm Package for Detecting Vulnerabilities in Ethereum Smart Contracts
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
oclif-dynamic-commands
Advanced tools
oclif plugin that loads commands dynamically on run.
The current folder's package.json
is read to find the folders the dynamic commands can be found in.
npm i oclif-dynamic-commands
pacakge.json
: "oclif": {
"plugins": [
"oclif-dynamic-commands"
...
],
...
}
Commands should be standard oclif commands, with one exception - command IDs are not defined by folder location, but manually and statically defined in the class itself:
import { Command } from '@oclif/core';
export default class Example extends Command {
static id = 'example';
static summary = 'An example command.';
static description = 'A longer description of your example command.';
static examples = [
'$ your-cli-command example',
];
async run(): Promise<void> {
this.log('Example command has been run!');
}
}
If your command is a sub-command (it contains the topic separator in it, e.g. drive:inacar
), you must ensure the "root command" (drive
) is defined somewhere in your built-in or dynamic commands, or you will not be able to see it in the help menu or list of available commands. Users will still be able to run the command, but its discoverability will suffer.
In the folder that is to container your dynamic commands, ensure the package.json
file has the following setting:
"oclif": {
"dynamic-commands": {
"folders": [
"./lib/commands/**/*.ts",
"./src/commands/**/*.ts"
]
}
}
Folders will be explored in the order defined, and any new commands loaded will overwrite any existing commands with the same ID. In this way, you can allow for dynamic commands to override built-in commands, or allow for commands to be loaded from a common library, but still have project-specific commands overwrite them.
Entries in the folders
array can use glob patterns from glob.
If you are allowing users to write dynamic commands in Typescript, you will need to ensure your CLI is being run through Typescript, not running a pre-compiled Javascript binary! Otherwise, you will get syntax errors when Node attempts to parse a Typescript file.
One way to (relatively) easily do that is to add dev.sh
and run.sh
shell files to your binary folder that look like this:
#!/usr/bin/env bash
DIR="$(dirname "$(readlink -f "$0")")"
"$DIR/../node_modules/tsx/dist/cli.js" --tsconfig ./tsconfig.json -- $DIR/dev.js "$@"
This requires installing tsx in the dependencies of your CLI, which is a very quick Typescript interpreter, though it has a few limitations.
This script will run the dev.js
Javascript file in your CLI's bin file, ensuring the tsconfig.json
file from the current working directory is loaded. Which leads us to...
With the above shell file, the tsconfig.json
of the current working directory is used to run your CLI. This is not strictly necessary, but it can reduce issues with customised tsconfig values needed by your dynamic commands. Specifically, if the project that your dynamic commands live within requires a special paths
setting, you must use the tsconfig.json
from the project's folder to ensure those paths are loaded and set correctly. Otherwise, any includes from your dynamic commands that rely on those paths being set will fail.
This raises an interesting question: How do you have combine a paths
setting from your project's tsconfig.json
with one from your CLI? The short answer is that you cannot. So if you expect your dynamic commands to rely on custom paths
, you cannot rely on them in your CLI.
You likely also want to both a) try to rely on as few custom TsConfig settings as you can and b) inform any developers of dynamic commands not to significantly modify their TsConfig settings or they could encounter unexpected failures when running the CLI.
FAQs
oclif plugin that loads commands dynamically from a directory.
The npm package oclif-dynamic-commands receives a total of 38 weekly downloads. As such, oclif-dynamic-commands popularity was classified as not popular.
We found that oclif-dynamic-commands demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
Security News
Research
A supply chain attack on Rspack's npm packages injected cryptomining malware, potentially impacting thousands of developers.
Research
Security News
Socket researchers discovered a malware campaign on npm delivering the Skuld infostealer via typosquatted packages, exposing sensitive data.