Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
A Distributed Lock Manager for Redis, implemented with the RedLock algorithm, using either node-redis or ioredis clients.
A Distributed Lock Manager for Redis, implemented with the RedLock algorithm, using either node-redis or ioredis clients.
npm i redis-dlm
import LockManager from "redis-dlm"
//create a new lock manager
const lockManager = new LockManager([
/**
* ioRedis clients, node-redis clients, or a mix.
* Clusters, instances, or a mix.
*/
]);
//acquire a lock
const lock = await lockManager.acquire('myKey');
//the lock's key
lock.key;
//the lock's unique value
lock.uid;
//the lock's initial duration in milliseconds
lock.duration;
//the lock's max hold time in milliseconds across extends
lock.maxHoldTime;
//the lock's creation time in milliseconds
lock.startTime;
//the time remaining in milliseconds before the lock expires
lock.remainingTime;
//extend the lock
await lock.extend();
//release the lock (or just wait for it to expire).
await lock.release();
You can pass a settings object to the lock manager's constructor, these will be the default settings used across all new locks.
const lockManager = new LockManager(clients, {
/** The duration of the lock in milliseconds, before the time to acquire is subtracted. Default `10000`. */
duration: 10000,
/** The number of times to retry aquiring a lock. Default `0`. */
retryCount: 0,
/** The max retry delay in milliseconds. A random time between this and zero will be selected. Default `500`. */
retryDelay: 500,
/** The maximum time in milliseconds that a lock should be held across extensions. Default `60000`. */
maxHoldTime: 60000,
/** The percent of the duration that should be used as drift, combined with `driftConstant`. Between 0 and 1. Default `0.001`. */
driftFactor: 0.001,
/** The fixed number of milliseconds to be used as drift, combined with `duration*driftFactor`. Default `5`. */
driftConstant: 5,
});
You can also pass the same settings object to acquire
, these will be used as the settings for only this lock.
const lock = await lockManager.acquire('myKey', {
duration: 10000,
retryCount: 0,
retryDelay: 500,
maxHoldTime: 60000,
driftFactor: 0.001,
driftConstant: 5,
});
Last, you can pass a subset of the settings object to extend
, these will only be used during this extend. If you do not pass duration
, the lock's original duration will be used. If you do not pass driftFactor
or driftConstant
the default values from the lock manager will be used.
await lock.extend({
duration: 10000,
driftFactor: 0.001,
driftConstant: 5,
});
All errors are generated at the time of function execution, there are no events. A full list of error types can be seen in the LockManagerError class.
A detailed overview of the RedLock algorithm can be read on the redis.io website. Quoting the site, a general overview is as follows:
In order to acquire the lock (on N instances, 5 here), the client performs the following operations:
- It gets the current time in milliseconds.
- It tries to acquire the lock in all the N instances sequentially, using the same key name and random value in all the instances. During step 2, when setting the lock in each instance, the client uses a timeout which is small compared to the total lock auto-release time in order to acquire it. For example if the auto-release time is 10 seconds, the timeout could be in the ~ 5-50 milliseconds range. This prevents the client from remaining blocked for a long time trying to talk with a Redis node which is down: if an instance is not available, we should try to talk with the next instance ASAP.
- The client computes how much time elapsed in order to acquire the lock, by subtracting from the current time the timestamp obtained in step 1. If and only if the client was able to acquire the lock in the majority of the instances (at least 3), and the total time elapsed to acquire the lock is less than lock validity time, the lock is considered acquired.
- If the lock was acquired, its validity time is considered to be the initial validity time minus the time elapsed, as computed in step 3.
- If the client failed to acquire the lock for some reason (either it was not able to lock N/2+1 instances or the validity time is negative), it will try to unlock all the instances (even the instances it believed it was not able to lock).
This package makes some minor changes to the algorithm, notably:
Promise.allSettled(requests)
.If absolute exclusivity is desired for a lock, even after an instance/node crash, extra settings are required for restarting/promoting instances/nodes. See the "Performance, crash-recovery and fsync" section of the RedLock documentation for more info.
Currently this has only been tested on Node.js 16.3.x
. More tests are to come and this section will be updated as I test them.
1.1.1 (2022-01-25)
CHANGELOG.md
from npm package.FAQs
A Distributed Lock Manager for Redis, implemented with the RedLock algorithm, using either node-redis or ioredis clients.
The npm package redis-dlm receives a total of 14 weekly downloads. As such, redis-dlm popularity was classified as not popular.
We found that redis-dlm demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.