
Research
/Security News
11 Malicious NuGet Tools Pose as Game Cheats to Drop a Windows Host-Surveillance Payload
11 malicious NuGet tools pose as game cheats to deploy Windows payloads, track hosts, and use Google Sheets for telemetry and control.
公司内部使用的项目脚手架工具:支持交互式/命令式生成项目与代码模板,并提供 .ylyxrc.json 项目配置、支持任意数量的自定义环境切换(dev/test/staging/prod...),以及一键部署(SFTP 上传/仅压缩)等能力。
说明:每个环境需要在
.ylyxrc.json中显式配置buildDir等路径信息(不再从.env.production自动推导)。
create 支持交互式收集变量,降低使用门槛.ylyxrc.json 的 environments 支持任意数量的自定义环境(dev/test/staging/prod...),ylyx config <name> 一键切换.ylyxrc.json、config/default-*.js,并可写入 npm 前/后置脚本deployMethod 决定上传(SFTP,带上传进度)或仅压缩,压缩包命名/顶层目录规则与该环境 buildDir 对齐npm install -g ylyx-cli
# 使用 npx 直接运行
npx ylyx-cli create
# 生成项目
npx ylyx-cli generate react-app -n my-project -o ./my-project
# 安装远程模板
npx ylyx-cli install owner/repo
git clone <repository>
cd ylyx-cli
npm install
npm link # 链接到全局,可以本地测试
使用交互式方式创建新项目(推荐):
ylyx create
或者直接指定模板和项目名:
# 创建一个 React 项目
ylyx generate react-app -n my-project -o ./my-project
ylyx list
从 GitHub/GitLab 安装模板:
# 使用简写格式(GitHub)
ylyx install owner/repo
# 使用完整 URL
ylyx install https://github.com/owner/repo
# 指定分支和模板名
ylyx install owner/repo -b develop -n my-template
ylyx add template-name /path/to/template
ylyx info template-name
将当前目录的 .ylyxrc.json 切换到指定环境(环境名来自 .ylyxrc.json 的 environments 数组,可以是任意自定义名字):
ylyx config dev
ylyx config prod
ylyx config staging
不传参数时进入交互式选择(按本地/部署环境分组,当前环境标注"(当前)",默认光标停在当前环境):
ylyx config
若 .ylyxrc.json 是旧版格式(没有 configVersion),命令会报错并提示先运行:
ylyx migrate config
初始化当前目录的配置文件与默认配置模板(会生成/补齐 .ylyxrc.json,并为每个环境创建 config/default-<name>.js;默认不覆盖已有文件):
ylyx init config
# 指定初始 currentEnv
ylyx init config --env prod
# 强制覆盖已存在文件
ylyx init config --force
新项目默认生成两个环境:dev(本地开发,isLocal:true)和 prod(deployMethod:'zip',buildDir:'dist/app')。如果需要 test/staging 等更多环境,在 .ylyxrc.json 的 environments 数组里手动追加后,重新运行 ylyx init config --force 补写对应的 config/default-<name>.js 和 npm 钩子。
init config 会根据每个环境的 npmScript 字段,在当前目录的 package.json 中写入 npm 钩子:
isLocal: true 的环境(如 dev)→ 写入 pre<npmScript>: "ylyx config <name>"post<npmScript>,若该环境 deployMethod 不是 none,值为 "ylyx config <name> && ylyx deploy --env <name>",否则只是 "ylyx config <name>"每个环境的构建输出目录由该环境条目的 buildDir 字段决定,需要显式配置。
deploy 会读取当前项目目录的 .ylyxrc.json 的 environments 数组,按 --env <name> 指定的环境读取对应字段。
{
"configVersion": 2,
"publicDir": "./public",
"configDir": "./config",
"currentEnv": "dev",
"environments": [
{ "name": "dev", "isLocal": true, "npmScript": "dev", "deployMethod": "none" },
{
"name": "test",
"npmScript": "build:test",
"deployMethod": "upload",
"buildDir": "dist/test",
"host": "172.17.28.216",
"port": "22",
"username": "root",
"password": "你的密码",
"localDir": "./dist/test",
"remoteDir": "/usr/local/nginx/html/TEST_APP",
"zipAfter": false
},
{
"name": "prod",
"npmScript": "build:prod",
"deployMethod": "zip",
"buildDir": "dist/app",
"zipOutDir": "./.ylyx-deploy"
}
]
}
deployMethod: 'upload' 的环境:SFTP 递归上传到服务器(带上传进度)deployMethod: 'zip' 的环境:不上传,仅压缩deployMethod: 'none' 的环境:不可部署压缩产物命名规则:buildDir(最后一级)-YYYYMMDDHHmmss-哈希(纯字母).zip,且 zip 内顶层目录名为 buildDir 的最后一级目录名。
localDir 缺省时使用该环境的 buildDir;不再支持从 .env.production 自动推导,需要显式配置。
如果 .ylyxrc.json 还是旧格式(mode/deploy/顶层 buildDir),运行:
ylyx migrate config
会自动生成 dev(本地开发)、test(SFTP 上传)、prod(仅压缩)三个环境,并删除旧的 mode/deploy/buildDir/preScripts 字段。迁移后请检查 test/prod 环境里的 host/username/password 等敏感信息,并按需运行 ylyx init config --force 补写 package.json 的部署钩子。
每次执行 deploy 会在本地生成一份日志,默认在 ./.ylyx-deploy/logs/,包含上传/压缩过程与错误信息,便于追溯。
ylyx deploy
ylyx deploy --env test
ylyx deploy --env prod
ylyx deploy --env staging
模板可以放在 Git 仓库中(如 GitHub、GitLab),使用 ylyx install 命令安装。
模板仓库需要包含以下结构:
your-template/
template.json # 模板配置文件(可选)
files/ # 模板文件目录
...
# 从 GitHub 安装模板
ylyx install github-user/react-template
# 从私有仓库安装(需要配置 SSH 密钥)
ylyx install git@github.com:company/templates.git
# 指定分支
ylyx install owner/repo -b v2.0
模板应放在 templates/ 目录下,结构如下:
templates/
template-name/
template.json # 模板配置文件
files/ # 模板文件目录
example.js
example.css
{
"name": "template-name",
"description": "模板描述",
"version": "1.0.0",
"variables": {
"projectName": {
"type": "input",
"message": "请输入项目名称",
"default": "my-project"
}
},
"processFiles": ["package.json", "README.md", "*.json"],
"skipFiles": ["**/*.vue", "**/*.js"]
}
可以在项目根目录创建 .ylyxrc.json 配置文件:
{
"configVersion": 2,
"currentEnv": "dev",
"publicDir": "./public",
"configDir": "./config",
"environments": [
{ "name": "dev", "isLocal": true, "npmScript": "dev", "deployMethod": "none" },
{ "name": "prod", "npmScript": "build:prod", "deployMethod": "zip", "buildDir": "dist/app" }
],
"templatesDir": "./templates",
"outputDir": "./src",
"defaultVariables": {
"author": "Your Name",
"company": "YLYX"
}
}
# 生成 React 项目
ylyx generate react-app -n my-react-app -o ./my-react-app
# 生成后进入目录并安装依赖
cd my-react-app
npm install
npm start
ISC
FAQs
The npm package ylyx-cli receives a total of 198 weekly downloads. As such, ylyx-cli popularity was classified as not popular.
We found that ylyx-cli demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Research
/Security News
11 malicious NuGet tools pose as game cheats to deploy Windows payloads, track hosts, and use Google Sheets for telemetry and control.

Research
/Security News
4 compromised asyncapi packages deliver miasma botnet loader on macOS, Linux and Windows.

Research
/Security News
A compromised jscrambler npm release added a malicious preinstall hook that runs hidden native binaries on Linux, macOS, and Windows.