Research
Security News
Malicious npm Packages Inject SSH Backdoors via Typosquatted Libraries
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
Rugged orchestrates testing JavaScript packages across the variety of real-world environments and contexts where they’ll actually be used, with the files that will actually be published.
Today, people can consume your package in many contexts—in Node.js, in a browser, in an ECMAScript module, in a Common JS module, within a library (e.g., React, Angular, etc.), with assistance from compilers/transpilers/bundlers (e.g., TypeScript, Babel, Webpack, etc.), even inside test runners (e.g., Jest, Mocha, etc.). Each of these contexts has a unique set of capabilities, limitations, requirements, global variables, etc. that could impact or even break your package’s behavior.
Further, testing often only occurs against the source files that are available in the repository, which is problematic in two ways… First, tools may manipulate the source code in such a way that the compiled/transpiled/bundled version behaves slightly differently than the source code. Second, misconfigurations in your package.json
may cause necessary files to be excluded from the published version of your package.
Rugged facilitates testing your package in the environments and contexts where your package will be used, using the files that would be published (i.e., the compiled/transpiled/bundled files that are included according to your package.json
settings).
This is done by injecting the compiled & packaged version of your package into a series of minimal test projects you create, which mimic the various contexts in which your package could be used/consumed. These test projects live in your package’s repository and simply need a test
script in their package.json
files. Rugged will run the test
script in each test project to verify your package works as expected in each environment/context.
Install with Yarn or npm:
yarn add --dev rugged
npm install --save-dev rugged
Add rugged
to the test
script in the package.json
file:
{
"scripts": {
"test": "rugged"
}
}
Create a test-projects/
directory with at least one test project inside of it (check out Rugged’s own test projects for examples, or the docs for more details and suggested projects).
Read the docs at: https://ruggedjs.io/docs/
Let the world know your package is being tested with Rugged!
[![tested with Rugged](https://img.shields.io/badge/tested%20with-Rugged-green)](https://github.com/sparksuite/rugged)
<a href="https://github.com/sparksuite/rugged">
<img alt="tested with rugged" src="https://img.shields.io/badge/tested%20with-Rugged-green">
</a>
We love contributions! Contributing is easy; learn how.
FAQs
Orchestrate package testing across uneven terrain
The npm package rugged receives a total of 28 weekly downloads. As such, rugged popularity was classified as not popular.
We found that rugged demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 2 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
Security News
MITRE's 2024 CWE Top 25 highlights critical software vulnerabilities like XSS, SQL Injection, and CSRF, reflecting shifts due to a refined ranking methodology.
Security News
In this segment of the Risky Business podcast, Feross Aboukhadijeh and Patrick Gray discuss the challenges of tracking malware discovered in open source softare.