Research
Security News
Malicious npm Package Targets Solana Developers and Hijacks Funds
A malicious npm package targets Solana developers, rerouting funds in 2% of transactions to a hardcoded address.
The vary npm package is a utility for manipulating the HTTP Vary header. It allows developers to programmatically append values to the Vary header of an HTTP response, ensuring that the correct header is constructed for proper handling of HTTP caching, content negotiation, and other mechanisms that might vary the response based on certain aspects of the request.
Appending to the Vary header
This feature allows you to append a field to the Vary header of an HTTP response. In the code sample, the 'User-Agent' field is added to the Vary header, indicating that the response may vary based on the 'User-Agent' header of the request.
"use strict";
const http = require('http');
const vary = require('vary');
http.createServer((req, res) => {
vary(res, 'User-Agent');
res.end('Response varies based on User-Agent header.');
}).listen(3000);
Appending multiple fields
This feature allows you to append multiple fields to the Vary header at once. In the code sample, both 'User-Agent' and 'Accept-Encoding' are added to the Vary header, indicating that the response may vary based on both of these request headers.
"use strict";
const http = require('http');
const vary = require('vary');
http.createServer((req, res) => {
vary(res, 'User-Agent, Accept-Encoding');
res.end('Response varies based on User-Agent and Accept-Encoding headers.');
}).listen(3000);
The 'fresh' package is an HTTP response freshness testing library that evaluates whether a response is still 'fresh' in the context of request and response headers. It is similar to 'vary' in that it deals with HTTP headers, but 'fresh' focuses on cache validation while 'vary' focuses on managing the Vary header.
The 'negotiator' package is an HTTP content negotiation library that supports media types, charsets, encodings, languages, and more. It is similar to 'vary' in that it assists with content negotiation, but 'negotiator' provides a higher-level API for selecting the best response based on the client's request, whereas 'vary' is specifically for manipulating the Vary header.
Manipulate the HTTP Vary header
This is a Node.js module available through the
npm registry. Installation is done using the
npm install
command:
$ npm install vary
var vary = require('vary')
Adds the given header field
to the Vary
response header of res
.
This can be a string of a single field, a string of a valid Vary
header, or an array of multiple fields.
This will append the header if not already listed, otherwise leaves it listed in the current location.
// Append "Origin" to the Vary header of the response
vary(res, 'Origin')
Adds the given header field
to the Vary
response header string header
.
This can be a string of a single field, a string of a valid Vary
header,
or an array of multiple fields.
This will append the header if not already listed, otherwise leaves it listed in the current location. The new header string is returned.
// Get header string appending "Origin" to "Accept, User-Agent"
vary.append('Accept, User-Agent', 'Origin')
var http = require('http')
var vary = require('vary')
http.createServer(function onRequest (req, res) {
// about to user-agent sniff
vary(res, 'User-Agent')
var ua = req.headers['user-agent'] || ''
var isMobile = /mobi|android|touch|mini/i.test(ua)
// serve site, depending on isMobile
res.setHeader('Content-Type', 'text/html')
res.end('You are (probably) ' + (isMobile ? '' : 'not ') + 'a mobile user')
})
$ npm test
FAQs
Manipulate the HTTP Vary header
The npm package vary receives a total of 28,679,270 weekly downloads. As such, vary popularity was classified as popular.
We found that vary demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
A malicious npm package targets Solana developers, rerouting funds in 2% of transactions to a hardcoded address.
Security News
Research
Socket researchers have discovered malicious npm packages targeting crypto developers, stealing credentials and wallet data using spyware delivered through typosquats of popular cryptographic libraries.
Security News
Socket's package search now displays weekly downloads for npm packages, helping developers quickly assess popularity and make more informed decisions.