Identify which NPM libraries are used on a website with Bundle Scanner

Bundle Scanner identifies which npm libraries are used on any website. It downloads every Javascript file from a URL and searches through the files for code that matches one of the 35,000 most popular npm libraries. The scanning itself works in a pretty ingenious way: When a user requests to scan a website, Bundle Scanner …

Dependency Confusion: How I Hacked Into Apple, Microsoft and Dozens of Other Companies

While looking at a package.json from a public project from PayPal, Alex Birsan noticed that it held some references to private NPM packages used internally by PayPal. Birsan noticed some of the manifest file packages were not present on the public npm repository but were instead PayPal’s privately created npm packages, used and stored internally …

Super fast npm install on Github Actions

The folks at Voorhoede share how they integrated the actions/cache@v2 build step into their GitHub Workflow so that it caches npm install results. Super fast npm install on Github Actions → Related: By Shallow + Single Branch Cloning you can speed up the git clone step of your build pipeline. The actions/checkout@v2 build step already …

Easily install local NPM packages by simply referring to their local path

Directly installing a package with npm install and referring to its local path is a quick way to work with a local package. To be safe though, the usage of npm link is still recommended. The npm link way To work with local NPM packages on can reside to using npm link. You make a …

Beware when merging Pull Requests with a changed lockfile

When watching a diff that contains a lockfile (say: a yarn.lock for example) on GitHub, GitHub doesn’t always show the differences (see screenshot above) as the changes in such files tend to be quite big. And even if it were to show the changes, does one really take a close look into it? With this …

Wombat Dressing Room, an npm publication proxy on GCP

When automating the publishing of an NPM package, 2FA can get in the way, as you can’t really automate entering a 2FA auth code off a cellphone. Enter Wombat Dressing Room from Google: With Wombat Dressing Room, rather than an individual configuring two factor authentication in an authenticator app, 2FA is managed by a shared …

Use a Github repository branch or commit as a dependency in package.json

Recently I needed to test a branch of a forked GitHub repository inside a project. Instead of cloning the fork and symlinking the package locally, I installed the remote dependency directly into the project. To achieve I used the following command: Using NPM: npm install git@github.com:user/repo.git#branchname or npm install git+ssh://git@github.com:user/repo.git#branchname Using Yarn: yarn add ssh://git@github.com:user/repo.git#branchname …

Programmatically add scripts to package.json with npm-add-script

Recently I needed to automate the addition of the addition of a script defined in a package.json‘s scripts section. To do this I used npm-add-script (an older, but still functioning project), along with the aforementioned npx. For example, to add a script labelled start with the contents webpack-dev-server –config ./config/webpack.config.babel.js –env.MODE=development –open –hot, I use: …

Find the cost of adding a npm package to your bundle with BundlePhobia

Ever wondered what the (size) impact of adding an NPM package to your project is? BundlePhobia is a tool that does not only that, it also recommends you other similar packages that have a lesser load. This thing lets you understand the performance cost of npm install‘ing a new npm package before actually adding it …