Research
Security News
Malicious npm Packages Inject SSH Backdoors via Typosquatted Libraries
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
Framework Agnostic, Zero Dependency, Isomorphic & Minimalistic Dependency Injection Container for TypeScript and JavaScript projects
npm i --save true-di
yarn add true-di
Read Documentation on Git Book
./src/container.ts
import diContainer from 'true-di';
import { ILogger, IDataSourceService, IECommerceService } from './interfaces';
import Logger from './Logger';
import DataSourceService from './DataSourceService';
import ECommerceService from './ECommerceService';
type IServices = {
logger: ILogger,
dataSourceService: IDataSourceService,
ecommerceService: IECommerceService,
}
export default diContainer<IServices>({
logger: () =>
new Logger(),
dataSourceService: ({ logger }) =>
new DataSourceService(logger),
ecommerceService: ({ logger, dataSourceService }) =>
new ECommerceService(logger, dataSourceService),
});
./src/ECommerceService/index.ts
import {
IECommerceService, IDataSourceService, Order, IInfoLogger
} from '../interfaces';
class ECommerceSerive implements IECommerceService {
constructor(
private readonly _logger: IInfoLogger,
private readonly _dataSourceService: IDataSourceService,
) {
_logger.info('ECommerceService has been created');
}
async getOrders(): Promise<Order[]> {
const { _logger, _dataSourceService } = this;
// do something
}
async getOrderById(id: string): Promise<Order | null> {
const { _logger, _dataSourceService } = this;
// do something
}
}
export default ECommerceSerive;
./src/controller.ts
import Express from 'express';
import { IGetOrderById, IGetOrders } from './interfaces';
import { Injected } from './interfaces/IRequestInjected';
import { sendJson } from './utils/sendJson';
import { expectFound } from './utils/NotFoundError';
export const getOrders = (
{ injected: { ecommerceService } }: Injected<{ ecommerceService: IGetOrders }>,
res: Express.Response,
next: Express.NextFunction,
) =>
ecommerceService
.getOrders()
.then(sendJson(res), next);
export const getOrderById = (
{ params, injected: { ecommerceService } }:
{ params: { id: string } } & Injected<{ ecommerceService: IGetOrderById }>,
res: Express.Response,
next: Express.NextFunction,
) =>
ecommerceService
.getOrderById(params.id)
.then(expectFound(`Order(${params.id})`))
.then(sendJson(res), next);
./src/index.ts
import express from 'express';
import container from './container';
import { getOrderById, getOrders } from './controller';
import { handleErrors } from './middlewares';
const app = express();
app.use((req, _, next) => {
req.injected = container;
next();
});
app.get('/orders', getOrders);
app.get('/orders/:id', getOrderById);
app.use(handleErrors);
if (module.parent == null) {
app.listen(8080, () => {
console.log('Server is listening on port: 8080');
console.log('Follow: http://localhost:8080/orders');
});
}
export default app;
true-di
is designed to be used with Apollo Server considering to make resolvers as thin as possible, to keep all business logic testable and framework agnostic by strictly following S.O.L.I.D Principles.
Despite the origin motivation being related to Apollo Server the library could be used with any other framework or library that supports injection through the context.
The Getting Started Example shows how to use true-di
with one of the most popular nodejs libraries: Express. Almost all code in the example (~95%) is covered with tests that prove your business logic could be easily decoupled and kept independent even from dependency injection mechanism.
Thanking to business logic does not depend on specific injection mechanism you can defer the choice of framework. Such deferring is suggested by Robert Martin:
The purpose of a good architecture is to defer decisions, delay decisions. The job of an architect is not to make decisions, the job of an architect is to build a structure that allows decisions to be delayed as long as possible.
© 2014, Robert C. Martin: Clean Architecture and Design, NDC Conference,
Summarizing, true-di
is based on:
true-di
?reflect-metadata
are neededdiContainer
uses getters
under the hood. Container doesn't create an item until your code requestsdiContainer
-s could be composedFAQs
Zero Dependency, Minimalistic **Type-Safe DI Container** for TypeScript and JavaScript projects
The npm package true-di receives a total of 246 weekly downloads. As such, true-di popularity was classified as not popular.
We found that true-di demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
Security News
MITRE's 2024 CWE Top 25 highlights critical software vulnerabilities like XSS, SQL Injection, and CSRF, reflecting shifts due to a refined ranking methodology.
Security News
In this segment of the Risky Business podcast, Feross Aboukhadijeh and Patrick Gray discuss the challenges of tracking malware discovered in open source softare.