@lionad/safe-npx 0.2.2 → 0.2.3
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +46 -35
- package/package.json +1 -1
- package/snpx.js +3 -3
package/README.md
CHANGED
|
@@ -1,81 +1,92 @@
|
|
|
1
|
-
|
|
1
|
+
<center>
|
|
2
|
+
<img src="./assets/logo.png" alt="safe-npx logo" height="300px"/>
|
|
3
|
+
<p style="margin-top: -4em;"><em><code>snpx -y pkg@latest</code> protects you from newly compromised packages</em></p>
|
|
4
|
+
<br>
|
|
5
|
+
<br>
|
|
6
|
+
</center>
|
|
2
7
|
|
|
3
|
-
|
|
4
|
-
|
|
5
|
-
## Why
|
|
8
|
+
## Why / 为什么需要
|
|
6
9
|
|
|
7
10
|
`npx -y pkg@latest` installs the bleeding edge. If that version was just compromised in a supply chain attack, you get owned immediately. **snpx** intercepts `@latest` (and bare package names) and resolves a safe version based on publish age and a configurable fallback strategy. This gives the security community time to catch malicious releases.
|
|
8
11
|
|
|
9
|
-
|
|
12
|
+
`npx -y pkg@latest` 会直接安装最新版本。如果该版本刚被供应链攻击(Supply Chain Attack)篡改,你会立即中招。**snpx** 会拦截 `@latest`(以及裸包名),根据发布时间和可配置的回退策略(Fallback Strategy)解析出一个安全版本。这为安全社区争取了发现和处置恶意发布的时间窗口。
|
|
13
|
+
|
|
14
|
+
## Install / 安装
|
|
10
15
|
|
|
11
16
|
```bash
|
|
12
17
|
npm install -g @lionad/safe-npx
|
|
13
18
|
```
|
|
14
19
|
|
|
15
|
-
## Usage
|
|
20
|
+
## Usage / 用法
|
|
16
21
|
|
|
17
|
-
Drop-in replacement for `npx
|
|
22
|
+
Drop-in replacement for `npx` — 直接替换 `npx` 即可:
|
|
18
23
|
|
|
19
24
|
```bash
|
|
20
25
|
# Instead of npx -y create-react-app@latest my-app
|
|
26
|
+
# 替代 npx -y create-react-app@latest my-app
|
|
21
27
|
snpx -y create-react-app@latest my-app
|
|
22
28
|
|
|
23
|
-
# Works with scoped packages too
|
|
29
|
+
# Works with scoped packages too / 支持带 scope 的包
|
|
24
30
|
snpx -y @vue/cli@latest create my-project
|
|
25
31
|
|
|
26
|
-
# Bare package names are also intercepted
|
|
32
|
+
# Bare package names are also intercepted / 裸包名同样会被拦截
|
|
27
33
|
snpx -y cowsay "Hello World"
|
|
34
|
+
|
|
35
|
+
# Flags after the package are passed through to the tool / 包名之后的参数会透传给被执行的工具
|
|
36
|
+
snpx cowsay@latest --version
|
|
28
37
|
```
|
|
29
38
|
|
|
30
|
-
## How it works
|
|
39
|
+
## How it works / 工作原理
|
|
31
40
|
|
|
32
|
-
1. Intercepts calls containing `@latest` and bare package names
|
|
33
|
-
2. Queries npm registry for the package
|
|
34
|
-
3. If `latest` is older than the safety window (default 24h), uses `latest`
|
|
35
|
-
4. Otherwise, falls back through the configured strategy
|
|
36
|
-
- `patch` = version published immediately before `latest`
|
|
37
|
-
- `minor` = most recently published version of the previous minor line
|
|
38
|
-
- `major` = most recently published version of the previous major line
|
|
39
|
-
5. Verifies the fallback version is also older than the safety window
|
|
40
|
-
6. Caches the resolved version for the duration of the safety window
|
|
41
|
-
7. Executes `npx pkg@resolved_version ...`
|
|
41
|
+
1. Intercepts calls containing `@latest` and bare package names / 拦截包含 `@latest` 和裸包名的调用
|
|
42
|
+
2. Queries npm registry for the package / 查询 npm registry 获取包信息
|
|
43
|
+
3. If `latest` is older than the safety window (default 24h), uses `latest` / 如果 `latest` 发布时间超过安全窗口(默认 24 小时),直接使用
|
|
44
|
+
4. Otherwise, falls back through the configured strategy / 否则,按配置的策略依次回退:
|
|
45
|
+
- `patch` = version published immediately before `latest` / 发布时间紧邻 `latest` 之前的版本
|
|
46
|
+
- `minor` = most recently published version of the previous minor line / 上一个 minor 线最近发布的版本
|
|
47
|
+
- `major` = most recently published version of the previous major line / 上一个 major 线最近发布的版本
|
|
48
|
+
5. Verifies the fallback version is also older than the safety window / 验证回退版本也超过安全窗口
|
|
49
|
+
6. Caches the resolved version for the duration of the safety window / 在安全窗口期间缓存解析结果
|
|
50
|
+
7. Executes `npx pkg@resolved_version ...` / 执行 `npx pkg@resolved_version ...`
|
|
42
51
|
|
|
43
|
-
## Options
|
|
52
|
+
## Options / 选项
|
|
44
53
|
|
|
45
54
|
```bash
|
|
46
|
-
# Configure safety window (hours)
|
|
55
|
+
# Configure safety window (hours) / 配置安全窗口(小时)
|
|
47
56
|
snpx --time 48 cowsay@latest
|
|
48
57
|
|
|
49
|
-
# Configure fallback strategy (left-to-right precedence)
|
|
58
|
+
# Configure fallback strategy (left-to-right precedence) / 配置回退策略(从左到右优先)
|
|
50
59
|
snpx --fallback-strategy patch,minor,major cowsay@latest
|
|
51
60
|
|
|
52
|
-
# Print resolved version without executing
|
|
61
|
+
# Print resolved version without executing / 打印解析到的版本但不执行
|
|
53
62
|
snpx --show-version cowsay@latest
|
|
54
63
|
|
|
55
|
-
# Check for snpx updates (safe mode - respects 24h window)
|
|
64
|
+
# Check for snpx updates (safe mode - respects 24h window) / 检查 snpx 自身更新(安全模式,遵守 24 小时窗口)
|
|
56
65
|
snpx --self-update
|
|
57
66
|
|
|
58
|
-
# Bypass safety window for self-update check (not recommended)
|
|
67
|
+
# Bypass safety window for self-update check (not recommended) / 跳过安全窗口检查更新(不推荐)
|
|
59
68
|
snpx --unsafe-self-update
|
|
60
69
|
|
|
61
|
-
# Show help
|
|
70
|
+
# Show help / 显示帮助
|
|
62
71
|
snpx --help
|
|
63
72
|
```
|
|
64
73
|
|
|
65
|
-
## Environment Variables
|
|
74
|
+
## Environment Variables / 环境变量
|
|
66
75
|
|
|
67
|
-
- `SNPX_TIME` — Default for `--time`
|
|
68
|
-
- `SNPX_FALLBACK_STRATEGY` — Default for `--fallback-strategy`
|
|
76
|
+
- `SNPX_TIME` — Default for `--time` / `--time` 的默认值
|
|
77
|
+
- `SNPX_FALLBACK_STRATEGY` — Default for `--fallback-strategy` / `--fallback-strategy` 的默认值
|
|
69
78
|
|
|
70
|
-
## Cache
|
|
79
|
+
## Cache / 缓存
|
|
71
80
|
|
|
72
81
|
Resolved versions are cached in `~/.cache/snpx/` for the duration of the safety window (default 24 hours). This means:
|
|
73
|
-
- Fast subsequent runs (no registry requests)
|
|
74
|
-
- At most one registry query per package per window
|
|
82
|
+
- Fast subsequent runs (no registry requests) / 后续运行更快(无需请求 registry)
|
|
83
|
+
- At most one registry query per package per window / 每个安全窗口内每个包最多一次 registry 查询
|
|
84
|
+
|
|
85
|
+
## Acknowledgments / 致谢
|
|
75
86
|
|
|
76
|
-
|
|
87
|
+
Inspired by [safe-npm](https://github.com/kevinslin/safe-npm) by Kevin Lin.
|
|
77
88
|
|
|
78
|
-
|
|
89
|
+
灵感来自 Kevin Lin 的 [safe-npm](https://github.com/kevinslin/safe-npm)。
|
|
79
90
|
|
|
80
91
|
## License
|
|
81
92
|
|
package/package.json
CHANGED
package/snpx.js
CHANGED
|
@@ -289,14 +289,14 @@ export async function checkSelfUpdate() {
|
|
|
289
289
|
try {
|
|
290
290
|
const data = await fetchPackageMetadata(PKG_NAME);
|
|
291
291
|
const latest = data['dist-tags']?.latest;
|
|
292
|
-
if (!latest) return { hasUpdate: false, currentVersion: '0.2.
|
|
292
|
+
if (!latest) return { hasUpdate: false, currentVersion: '0.2.3', latestVersion: null };
|
|
293
293
|
|
|
294
|
-
const currentVersion = '0.2.
|
|
294
|
+
const currentVersion = '0.2.3'; // Should match package.json
|
|
295
295
|
const hasUpdate = latest !== currentVersion;
|
|
296
296
|
|
|
297
297
|
return { hasUpdate, currentVersion, latestVersion: latest };
|
|
298
298
|
} catch {
|
|
299
|
-
return { hasUpdate: false, currentVersion: '0.2.
|
|
299
|
+
return { hasUpdate: false, currentVersion: '0.2.3', latestVersion: null };
|
|
300
300
|
}
|
|
301
301
|
}
|
|
302
302
|
|