Research
Security News
Kill Switch Hidden in npm Packages Typosquatting Chalk and Chokidar
Socket researchers found several malicious npm packages typosquatting Chalk and Chokidar, targeting Node.js developers with kill switches and data theft.
A web framework designed for things to come.[1]
import { createServer } from 'http';
import { createApp, respond } from 'quinn';
const app = createApp(req => respond({ body: 'Hello World!' }));
createServer(app).listen(3000);
A potentially async function that takes a request and returns a response.
function handler(request) {
return result;
}
Request
An http.IncomingMessage
.
There are no additional properties or magical extension methods.
DispatchResult
Either a VirtualResponse
[2] or undefined
.
If it's undefined
, the handler was unable to handle the given request.
E.g. the handler implements routing logic and no route matched the given url.
VirtualResponse
A pass-through stream describing the response that should be returned. While it might have additional utility functions, only the following properties and methods should be relied on:
response.setHeader(name, value)
response.getHeader(name)
response.removeHeader(name)
response.statusCode
response.write(chunk[, encoding][, callback])
response.end([data][, encoding][, callback])
The behavior of each should match ServerResponse
.
All headers and the status code should be forwarded
when the response is piped to a target.
The statusCode
by setting the property,
the headers by calls to setHeader
on the target, one header at a time.
Quinn itself only cares that it has a pipe
method
which is used to forward the data to a ServerResponse
.
import express from 'express';
import { createApp as quinn, respond } from 'quinn/express';
const app = express();
app.get('/quinn-route', quinn(req => respond({ body: 'Hello World!' })));
Most of these are based on JSGI. Which would make sense if node wouldn't include an http server.
[1] In other words: an experimental mess.
[2] Because buzz word.
FAQs
A web framework designed for things to come.
The npm package quinn receives a total of 12 weekly downloads. As such, quinn popularity was classified as not popular.
We found that quinn demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 3 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket researchers found several malicious npm packages typosquatting Chalk and Chokidar, targeting Node.js developers with kill switches and data theft.
Security News
pnpm 10 blocks lifecycle scripts by default to improve security, addressing supply chain attack risks but sparking debate over compatibility and workflow changes.
Product
Socket now supports uv.lock files to ensure consistent, secure dependency resolution for Python projects and enhance supply chain security.