
Research
/Security News
jscrambler npm Package Compromised in Supply Chain Attack
A compromised jscrambler npm release added a malicious preinstall hook that runs hidden native binaries on Linux, macOS, and Windows.
公司内部使用的项目脚手架工具:支持交互式/命令式生成项目与代码模板,并提供 .ylyxrc.json 项目配置、环境配置切换(isDev)、以及一键部署(测试服上传/正式服打包压缩)等能力。
create 支持交互式收集变量,降低使用门槛ylyx config dev|prod,自动同步/复制 default.js.ylyxrc.json、config/default-*.js,并可写入 npm 前/后置脚本buildDir 对齐npm install -g ylyx-cli
# 使用 npx 直接运行
npx ylyx-cli create
# 生成项目
npx ylyx-cli generate react-app -n my-project -o ./my-project
# 安装远程模板
npx ylyx-cli install owner/repo
git clone <repository>
cd ylyx-cli
npm install
npm link # 链接到全局,可以本地测试
使用交互式方式创建新项目(推荐):
ylyx create
或者直接指定模板和项目名:
# 创建一个 React 项目
ylyx generate react-app -n my-project -o ./my-project
ylyx list
从 GitHub/GitLab 安装模板:
# 使用简写格式(GitHub)
ylyx install owner/repo
# 使用完整 URL
ylyx install https://github.com/owner/repo
# 指定分支和模板名
ylyx install owner/repo -b develop -n my-template
ylyx add template-name /path/to/template
ylyx info template-name
将当前目录的 .ylyxrc.json 写入/更新 mode(仅支持 dev / prod):
ylyx config --mode dev
# 或
ylyx config prod
初始化当前目录的配置文件与默认配置模板(会生成/补齐 .ylyxrc.json,并创建 config/default-dev.js、config/default-prod.js 等;默认不覆盖已有文件):
ylyx init config
# 指定初始模式
ylyx init config --mode prod
# 强制覆盖已存在文件
ylyx init config --force
init config 还会尝试在当前目录的 package.json 中写入 npm 前置脚本(可在 .ylyxrc.json 的 preScripts 配置脚本名):
predev 和 postbuild:prodnpm run dev 前,会自动先执行 ylyx config dev(dev 使用 symlink 实时同步)npm run build:prod 后,会自动执行 ylyx config prod && ylyx deploy(将 default-prod.js 复制到打包输出目录,并执行部署)prod 输出目录规则:
.ylyxrc.json 的 buildDir.env.production 的 VUE_APP_PUBLIC_URL,默认写入 <VUE_APP_PUBLIC_URL>/default.js(会去掉首尾 /)deploy 会读取当前项目目录的 .ylyxrc.json 的 deploy 字段。
{
"mode": "dev",
"buildDir": "dist/app",
"deploy": {
"env": "test",
"host": "172.17.28.216",
"port": "22",
"username": "root",
"password": "你的密码",
"localDir": "./EXTERNAL_DIGIC",
"remoteDir": "/usr/local/nginx/html/EXTERNAL_DIGIC",
"zipAfter": false,
"zipOutDir": "./.ylyx-deploy"
}
}
压缩产物命名规则(正式服或 --zip):buildDir(最后一级)-YYYYMMDDHHmmss-哈希(纯字母).zip,且 zip 内顶层目录名为 buildDir 的最后一级目录名。
localDir 默认推导优先级:deploy.localDir → .env.production 的 VUE_APP_PUBLIC_URL → .ylyxrc.json 的 buildDir。
ylyx deploy
ylyx deploy --env test
ylyx deploy --env prod
模板可以放在 Git 仓库中(如 GitHub、GitLab),使用 ylyx install 命令安装。
模板仓库需要包含以下结构:
your-template/
template.json # 模板配置文件(可选)
files/ # 模板文件目录
...
# 从 GitHub 安装模板
ylyx install github-user/react-template
# 从私有仓库安装(需要配置 SSH 密钥)
ylyx install git@github.com:company/templates.git
# 指定分支
ylyx install owner/repo -b v2.0
模板应放在 templates/ 目录下,结构如下:
templates/
template-name/
template.json # 模板配置文件
files/ # 模板文件目录
example.js
example.css
{
"name": "template-name",
"description": "模板描述",
"version": "1.0.0",
"variables": {
"projectName": {
"type": "input",
"message": "请输入项目名称",
"default": "my-project"
}
},
"processFiles": ["package.json", "README.md", "*.json"],
"skipFiles": ["**/*.vue", "**/*.js"]
}
可以在项目根目录创建 .ylyxrc.json 配置文件:
{
"mode": "dev",
"publicDir": "./public",
"configDir": "./config",
"preScripts": {
"dev": "dev",
"prod": "build:prod"
},
"templatesDir": "./templates",
"outputDir": "./src",
"defaultVariables": {
"author": "Your Name",
"company": "YLYX"
}
}
# 生成 React 项目
ylyx generate react-app -n my-react-app -o ./my-react-app
# 生成后进入目录并安装依赖
cd my-react-app
npm install
npm start
ISC
FAQs
We found that ylyx-cli demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Research
/Security News
A compromised jscrambler npm release added a malicious preinstall hook that runs hidden native binaries on Linux, macOS, and Windows.

Research
/Security News
A malicious .NET package is typosquatting the Braintree SDK to steal live payment card data, merchant API keys, and host secrets from production apps.

Security News
/Research
Compromised Injective SDK npm version 1.20.21 exfiltrates wallet private keys and mnemonics through fake telemetry functionality.