TL;DR: There are three options to fix an NPM dependency:

• Open a bug ticket on the repository of the maintainer
• Fork & Fix
• Create a patch and fix it

J'avais tendance à privilégier la 2e solution, mais elle a l’inconvénient de créer une dépendance à github.com au moment du build, ce qui n'est pas toujours pratique dans un contexte d'entreprise... patch-package peut donc s'avérer bien pratique dans ce cas

$ npm install faker@6.6.6

LIBERTY LIBERTY LIBERTY

Article complémentaire FR: https://www.01net.com/actualites/au-bout-du-rouleau-un-developpeur-sabote-ses-logiciels-open-source-2053434.html

À oui.sncf, je travaille au sein d'une équipe en charge de l'usine logicielle, qui administre depuis des années une instance Gitlab self-hosted.

Cet article contient quelques-unes de nos recommandations à l'intention des utilisateurs de notre Gitlab, ayant pour but à la fois améliorer les performances de leurs pipelines …

What happens if malicious code is uploaded to npm under these names? Is it possible that some of PayPal’s internal projects will start defaulting to the new public packages instead of the private ones?

Quelques éléments pour démarrer avec Gitlab CI

Useful CLI when you have the RCON password of a Quake 3 server !

I have set up the script below as a cron job to alert me whenever a player connect to my friend server :

#!/bin/bash
set -o pipefail -o errexit -o nounset
cd $(dirname "${BASH_SOURCE[0]}")
date
echo status | quake3-rcon $server_address $rcon_password > quake3-kleph.status
grep -E '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+' quake3-kleph.status | awk '{ print $4 }' > quake3-kleph.players
if ! diff -q quake3-kleph.players quake3-kleph.players.old; then
    echo 'New player detected'
    ./send_reminder.sh "New player joined kleph.eu Quake3 server: $(comm -13 <(sort quake3-kleph.players.old) <(sort quake3-kleph.players) | tr '\n' ' ')"
fi
mv quake3-kleph.players quake3-kleph.players.old

While developing a new project is like rolling on a green field for you, maintaining it is a potential dark twisted nightmare for someone else. Here's a list of guidelines we've found, written and gathered that (we think) works really well with most JavaScript projects here at hive. If you want to share a best practice, or think one of these guidelines should be removed, feel free to share it with us.

Found from: http://javascriptweekly.com

A very plausible scenario of credentials sniffer injected through npm dependency chain.
I loved the "I’d see it in your source on GitHub!" section : so scary and true.

Or how I obtained direct publish access to 14% of npm packages (including popular ones)

In any UNIX shell, the following will always work out of the box:

browserify src/main/lib/js/*.js > out-bundle.js

But of course, not under Windows.

And browserify does not accept directory names as primary parameter, nor wildcard globbing patterns. There is a pending issue & pull request aiming to …

Use one of these techniques to install node and npm without having to sudo. Discussed in more detail at http://joyeur.com/2010/12/10/installing-node-and-npm/ Note: npm >=0.3 is safer when using sudo. - Gist is a simple way to share snippets of text and code with others.