Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
oribuild-darwin-amd64
Advanced tools
Tools and plugins to run innerloop builds of typescript monorepos using esbuild.
See the ori docs for instructions on usage and configuration as a standalone devel;development builder.
See the ori api-service docs for instructions on consuming the ori javascript API.
ori
install go 1.22 https://go.dev/doc/install
If on windows, install mingw-gcc. This is to support building libsass on windows https://github.com/wellington/go-libsass/issues/37
x86_64-posix-seh
build of version v8.1.0
Add the path of mingw-gcc's bin to your path (in my case /c/Program Files/mingw-w64/x86_64-8.1.0-posix-seh-rt_v6-rev0/mingw64/bin)
(Optional, but recommended) Install the go
vscode plugin, and click "Install All" when it prompts you to install missing golang components (godef, gopkgs, gopls)
In order to get git working against private repos (which ori is in, for now) you have to configure git to go through authentication for github.
You can do this by putting a token in your .netrc, or you can route requests through https with:
git config --global url.git@github.com:.insteadOf https://github.com/
The project uses go past 1.13, so you also want to set the environment variable GOPRIVATE
:
export GOPRIVATE=github.com/microsoft/ori
Set up a ori.json and patches directory in your target project.
See above for the ori.json fields
TODO: document the patches directory
TODO: make a an example of an oribuild project + config (#10)
Building and Running
cd oribuild
go run . -c ../path/to/ori.json`
The first time you run this, go will fetch and build all the dependencies in oribuild/go.mod
Developing ori js libraries
yarn
Add more here as you hit unexpected situations
in client-web: yarn gulp gqlgen:generate
needs to be run manually after any graphql change.
node_modules are not monitored and assumed to be always stable. If you edit node_modules, you will need to save another file to refresh. Once separate builds are implemented (#8), you will have to restart the whole build agent, unless you specifically omit that node_module from the build cache
ori exits with error 0xc0000139
on windows
$ go run . -h
exit status 0xc0000139
This translates to STATUS_ENTRYPOINT_NOT_FOUND https://pkg.go.dev/golang.org/x/sys/windows
This might mean you have the wrong mingw install version and windows can't find the entrypoint symbols for the libsass binary at runtime? not 100% sure but changing the mingw version to the one specified above fixes the issue.
# with mingw on your path
# Build entries
go run . -config=../ori.json
# Build an entry named "OWA Mail" from the entry points map, with code-splitting
# Note that this has to be loaded with a script type="module" entrypoint,
# since esbuild code-splitting forces esm modules
go run . -config=../ori.json -entry="OWA Mail" -split
# Generate a cpu profile for initial and incremental builds (the traces directory must already exist)
go run . -config=../ori.json -entry="OWA Mail" -traceInitialBuild -traceIncrementalBuilds -cpuprofile=traces/cpu.pprof
# Analyze cpu profiles (contains overview of CPU time)
go tool pprof -http=localhost:8080 traces/cpu.pprof.initial*
go tool pprof -http=localhost:8080 traces/cpu.pprof.incremental*
# Analyze traces
go tool trace traces/trace.out.*
# cutting a new release, from root dir
# first, update the version numbers in js/packages/oribuild/package.json,
# and update the dependency versions to the same version number.
git commit -m "bump to 0.0.0-pre-alpha.4"
git tag v0.0.0-pre-alpha.4
git push
git push --tags
# this reads the version numbers from js/packages/oribuild/package.json
# and generates new packages.
./scripts/build-nonmac.sh
# this publishes to npm (you'll have to npm login separately)
./scripts/publish-nonmac.sh
Why not use the esbuild node API?
In short, we tried it and it was slow. Initial build times were several minutes, compared to the 40-odd seconds we see with the go api because of all the time plugins spent waiting to run on the node main thread.
Can I customize ori
for my monorepo?
For now, ori
will remain extremely opinionated on what the monorepo shape must look like. As much as possible, we want to prefer convention over configuration.
In the same vein, rather than implementing plugins or encouraging people to fork and make their own custom builds of ori
, new functionality will be added to the same ori
binaries as needed.
Why is it called ori
?
ori
was started by the Outlook Web team, and is short for OWA Rapid Innerloop
.
It can also be easily typed on a single row of a QWERTY keyboard without using your fifth fingers, which I value because I have ulnar neuropathy.
TODO: Populate this section as people ask more questions
This project welcomes contributions and suggestions. Most contributions require you to agree to a Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us the rights to use your contribution. For details, visit https://cla.opensource.microsoft.com.
When you submit a pull request, a CLA bot will automatically determine whether you need to provide a CLA and decorate the PR appropriately (e.g., status check, comment). Simply follow the instructions provided by the bot. You will only need to do this once across all repos using our CLA.
This project has adopted the Microsoft Open Source Code of Conduct. For more information see the Code of Conduct FAQ or contact opencode@microsoft.com with any additional questions or comments.
This project may contain trademarks or logos for projects, products, or services. Authorized use of Microsoft trademarks or logos is subject to and must follow Microsoft's Trademark & Brand Guidelines. Use of Microsoft trademarks or logos in modified versions of this project must not cause confusion or imply Microsoft sponsorship. Any use of third-party trademarks or logos are subject to those third-party's policies.
FAQs
Unknown package
We found that oribuild-darwin-amd64 demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.