Socket - Secure your dependencies. Ship with confidence.Secure your dependencies. Ship with confidence.Socket is a developer-first security platform that protects your code from both vulnerable and malicious dependencies.
npmã®@typesスコープã«ãŠã‘ã‚‹ä»»æ„ã®ãƒ‘ッケージã®æ”¹ç«„
ã¯ã˜ã‚ã«@typesスコープを管ç†ã—ã¦ã„ã‚‹Definitely Typedã¯ã€Microsoftã‹ã‚‰æ”¯æ´ã‚’å—ã‘ã¦ã„ã‚‹ã‚‚ã®ã®ã€Microsoftã®è„†å¼±æ€§å ±å¥¨é‡‘制度ã«ãŠã‘るセーフãƒãƒ¼ãƒãƒ¼ã®å¯¾è±¡ã§ã¯ã‚ã‚Šã¾ã›ã‚“。1 本記事ã¯ã€å…¬é–‹ã•ã‚Œã¦ã„ã‚‹æƒ…å ±ã‚’å…ƒã«è„†å¼±æ€§ã®å˜åœ¨ã‚’推測ã—ã€å®Ÿéš›ã«æ¤œè¨¼ã™ã‚‹ã“ã¨ãªã潜在的ãªè„†å¼±æ€§ã¨ã—ã¦å ±å‘Šã—ãŸå•é¡Œã«é–¢ã—ã¦èª¬æ˜Žã—ãŸã‚‚ã®ã§ã‚ã‚Šã€ç„¡è¨±å¯ã®è„†å¼±æ€§è¨ºæ–行為を推奨ã™ã‚‹ã“ã¨ã‚’æ„図ã—ãŸã‚‚ã®ã§ã¯ã‚ã‚Šã¾ã›ã‚“。 Definitely Typedã«è„†å¼±æ€§ã‚’発見ã—ãŸå ´åˆã¯ã€Definitely Typedã®ãƒ¡ãƒ³ãƒãƒ¼ã¸å ±å‘Šã—ã¦ãã ã•ã„。 è¦ç´„Definitely Typedã®ãƒ—ルリクエスト管ç†Botã«è„†å¼±æ€§ãŒå˜åœ¨ã—ã€æ‚ªæ„ã®ã‚るプルリクエストをDefinitelyTyped/DefinitelyTypedリãƒã‚¸ãƒˆãƒªã¸ãƒžãƒ¼ã‚¸ã™ã‚‹ã“ã¨ãŒå¯èƒ½ã ã£ãŸã€‚ ã“ã‚Œã«ã‚ˆã‚Šã€npm上ã®@typesスコープé…下ã«å˜åœ¨ã™
npmã¨yarnã®è„†å¼±æ€§ã¨postinstall - Cybozu Inside Out | サイボウズエンジニアã®ãƒ–ãƒã‚°
フãƒãƒ³ãƒˆã‚¨ãƒ³ãƒ‰ã‚¨ã‚スパートãƒãƒ¼ãƒ ã®å°æž—(@koba04)ã§ã™ã€‚ 先日ã€npmã‹ã‚‰è„†å¼±æ€§ã«ã¤ã„ã¦ã®ç™ºè¡¨ãŒã‚ã‚Šã¾ã—ãŸã€‚ 調ã¹ã¦ã„ãä¸ã§ã„ãã¤ã‹æ€ã†ã¨ã“ã‚ãŒã‚ã£ãŸã®ã§è§£èª¬ã‚‚å…¼ãã¦æ›¸ã„ã¦ã„ããŸã„ã¨æ€ã„ã¾ã™ã€‚ The npm Blog — Binary Planting with the npm CLI npmã®åˆ©ç”¨è€…ã¨ã—ã¦ã‚„ã‚‹ã¹ãã“ã¨ã¯ã€ npmã®ãƒãƒ¼ã‚¸ãƒ§ãƒ³ã‚’6.13.4以上ã«ã‚ã’ã‚‹ yarnã®ãƒãƒ¼ã‚¸ãƒ§ãƒ³ã‚’1.21.1以上ã«ã‚ã’ã‚‹ ã§ã™ã€‚ npmã®ãƒãƒ¼ã‚¸ãƒ§ãƒ³ãŒ6.13.4ã«ãªã£ãŸNodeã‚‚v8, v10, v12, v13ç³»ã§ãã‚Œãžã‚Œãƒªãƒªãƒ¼ã‚¹ã•ã‚ŒãŸã®ã§ã€ãã¡ã‚‰ã‚’利用ã™ã‚‹ã“ã¨ã‚‚å¯èƒ½ã§ã™ (yarnã®ãƒãƒ¼ã‚¸ãƒ§ãƒ³ã¯åˆ¥é€”ã‚ã’ã‚‹å¿…è¦ãŒã‚ã‚Šã¾ã™ï¼‰ã€‚ nodejs.org npmã«ã‚ˆã‚‹ç™ºè¡¨ã§ã¯ã€ä»Šå›žç™ºè¡¨ã•ã‚ŒãŸè„†å¼±æ€§ã¯2件ã‚ã‚‹ãŸã‚ã€ãã‚Œãžã‚Œå€‹åˆ¥ã«è€ƒãˆã¾ã™ã€‚ binã«ä»»æ„ã®ãƒ‘スを指定出æ¥ã‚‹ä»¶ npmパッケージã¯pa
npm Blog Archive: `npm audit`: identify and fix insecure dependencies
The npm blog has been discontinued. Updates from the npm team are now published on the GitHub Blog and the GitHub Changelog. Last month, we announced npm@6, which includes a powerful new tool to protect the safety of your code, npm audit. Together with new automatic alerts when a user installs code with a known security risk, audit is a dramatic step to ensure the quality and integrity of the code
npm Blog Archive: `crossenv` malware on the npm registry
The npm blog has been discontinued. Updates from the npm team are now published on the GitHub Blog and the GitHub Changelog. On August 1, a user notified us via Twitter that a package with a name very similar to the popular cross-env package was sending environment variables from its installation context out to npm.hacktask.net. We investigated this report immediately and took action to remove the
npmjs.com ã§è‘—åソフトウェアã«ã‚ˆãä¼¼ãŸåå‰ã®ãƒžãƒ«ã‚¦ã‚§ã‚¢ãŒå¤§é‡ã«ç™ºè¦‹ã•ã‚ŒãŸ - Islands in the byte stream
Malicious packages in npm. Here’s what to do | Ivan Akulov’s blog People found malicious packages in npm that work like real ones, are named similarly real ones, but collect and send your process environment to a third-party server when you install them 訳: 悪æ„ã®ã‚るパッケージãŒnpmã§ç™ºè¦‹ã•ã‚ŒãŸã€‚ãれらã¯ã€å®Ÿéš›ã®ãƒ‘ッケージã«ã‚ˆãä¼¼ãŸåå‰ã§åŒã˜ã‚ˆã†ã«å‹•ããŒã€ãƒ‘ッケージã®ã‚¤ãƒ³ã‚¹ãƒˆãƒ¼ãƒ«æ™‚ã«ãƒ—ãƒã‚»ã‚¹ã®ç’°å¢ƒå¤‰æ•°ã‚’外部ã®ã‚µãƒ¼ãƒã«é€ä¿¡ã™ã‚‹ã€‚ 発見ã•ã‚ŒãŸãƒ‘ッケージã®ä¸€è¦§ã¯å…ƒã‚¨ãƒ³ãƒˆãƒªã‚’ã©ã†ãžã€‚ã“ã®ã‚ˆã†ãªãƒžãƒ«ã‚¦ã‚§ã‚¢ã§ã‚ã‚‹å½ãƒ‘ッケージã®ä¸€ä¾‹ã‚’ã‚ã’ã‚‹ã¨ã€ ba
1
リリースã€éšœå®³æƒ…å ±ãªã©ã®ã‚µãƒ¼ãƒ“スã®ãŠçŸ¥ã‚‰ã›
最新ã®äººæ°—エントリーã®é…ä¿¡
j次ã®ãƒ–ックマーク
kå‰ã®ãƒ–ックマーク
lã‚ã¨ã§èªã‚€
eコメント一覧を開ã
oページを開ã
{{#tags}}- {{label}}
{{/tags}}