Today's post will be about a tiny dependency-free JavaScript library - Just.
Most common methods for manipulation with different data structures like:

Collections - clone, diff
Objects - merge, extend
Arrays - shuffle, random
Strings - template, replace-all
Numbers - random-integer
Functions - curry-it, memoize
even Statistics - percentile, standard-deviation
and much more.

All methods are individual npm modules and can be used separately.

Official site and documentation:
https://anguscroll.com/just/

Also short video - about Just:
https://youtu.be/1qprF4BqSaM

For more useful info - subscribe Tech Read channel.
Likes and shares are welcome.

#javascript #just #npm
Just a list of useful npm packages for Node.js.

Node.js Packages I Use In Every Project

For more info - subscribe to Tech Read channel.
Likes and shares are welcome.

#nodejs #npm
Changes in 9th version of npm (released some time ago but anyway) you’ll be able to find in article Exploring New Features in npm 9.

As for me the most interesting is install-strategy - hoisted, nested and shallow.

For more info - subscribe to Tech Read channel.
Likes, shares and recommendations are welcome.

#npm
Let’s talk a little bit about Npm audit. It’s a great tool to protect you code in several ways:
- Generate and review security audit reports
- Verify the registry signatures of downloaded packages
- Checking and fixing of vulnerabilities

More - in NPM Audit: 5 Ways to Use it to Protect Your Code article and don’t forget to subscribe to Tech Read channel.
Likes, shares and recommendations are welcome.

#npm
This post is the selection of useful npm modules:

1. OTPAuth - One Time Password (HOTP/TOTP) library for Node.js, Deno, Bun and browsers.

HOTP (HMAC-based One-Time Password) and TOTP (Time-based One-Time Password) are two commonly used algorithms for generating one-time passwords (OTP) in two-factor authentication systems.
HOTP generates OTPs based on a counter value and a secret key using a hash-based message authentication code (HMAC) algorithm. Each time a new OTP is generated, the counter value is incremented.
TOTP, on the other hand, generates OTPs based on a combination of a secret key and the current time. A timestamp is used as the counter value, and the OTP changes every 30 seconds (default value).

2. Concurrent.js - Non-blocking Computation for JavaScript RTEs (Web Browsers, Node.js & Deno).

Non-blocking computation is a technique used to allow JavaScript runtime environments (RTEs) to perform computationally intensive tasks without blocking the main thread of execution. This is achieved by executing these tasks asynchronously, using features such as web workers or worker threads.
In JavaScript, blocking the main thread can lead to performance issues and a poor user experience, as the user interface may become unresponsive while the script is running. Non-blocking computation helps to mitigate this issue by allowing these tasks to be performed in the background, without affecting the responsiveness of the user interface.

3. Malibu - Framework-agnostic CSRF middleware for modern Node.js

CSRF (Cross-Site Request Forgery) is a type of web attack where an attacker tricks a user into performing an unintended action on a web application. The attack typically involves the attacker crafting a request to the application, and then tricking the user into submitting that request through some form of social engineering, such as by clicking on a malicious link or visiting a page with a hidden form.
One common example of a CSRF attack is when an attacker creates a malicious form on a website, which is designed to submit a request to a different website that the user is already logged in to. If the user is tricked into submitting the form, the attacker can execute a malicious action on the targeted website on behalf of the user.
To prevent CSRF attacks, developers can implement security measures such as using anti-CSRF tokens or implementing same-site cookies. These measures can help to ensure that a request is only processed if it originates from an authorized source, and can help to prevent unauthorized actions on the targeted website.

For more useful info - subscribe to Tech Read channel.
Likes, shares and recommendations are welcome.

#nodejs #deno #bun #npm #csrf
NPM Security best practices from OWASP Cheat Sheet Series

Short list:
1) Avoid publishing secrets to the npm registry
2) Enforce the lockfile
3) Minimize attack surfaces by ignoring run-scripts
4) Assess npm project health
5) Audit for vulnerabilities in open source dependencies
6) Use a local npm proxy
7) Responsibly disclose security vulnerabilities
8) Enable 2FA
9) Use npm author tokens
10) Understand module naming conventions and typosquatting attacks

Also a lot of useful links you can find in Tech Read channel so subscribe and enjoy.
Likes, shares and recommendations are welcome.

#npm #security #owasp
The Hidden Danger: Malware in NPM Modules

In today's interconnected world, where software development heavily relies on third-party libraries and frameworks, we must remain vigilant about the security of our codebases. One area that often goes unnoticed is the presence of malware in npm modules, posing a significant threat to our projects.

NPM (Node Package Manager) has revolutionized the JavaScript ecosystem by providing a vast collection of reusable modules. While most npm modules are developed and maintained by trustworthy individuals and organizations, the open nature of the ecosystem leaves room for potential vulnerabilities and malicious intent.

The proliferation of malware-infected npm modules has become a growing concern. Hackers have increasingly exploited this avenue to inject harmful code into unsuspecting projects. These malware-infected modules can take various forms, including hidden backdoors, data exfiltration mechanisms, crypto-mining scripts, or even ransomware.

So, how can we protect ourselves and our projects from such threats? Here are a few essential measures to consider:

1. Regularly Update Dependencies: Keeping your project's dependencies up to date is crucial. Developers often release security patches and bug fixes to address vulnerabilities. By updating your npm modules regularly, you ensure that you are using the latest, more secure versions.

2. Scrutinize Dependency Sources: When choosing npm modules, it's vital to review the module's source, maintainers, and the overall community engagement. Opt for modules that have an active developer community, reliable maintainers, and transparent code reviews. Additionally, check if the module has undergone security audits or has a history of security-related issues.

3. Analyze Module Popularity: The popularity of an npm module can be an indicator of trustworthiness. Highly popular modules usually have a larger user base and undergo more scrutiny, reducing the likelihood of malware infiltration. However, popularity alone is not a guarantee, and additional due diligence is necessary.

4. Implement Continuous Integration and Testing: Incorporating automated security checks into your development workflow is essential. Leverage tools like vulnerability scanners, static code analyzers, and dependency checkers to identify any potential security risks. Integrate these checks as part of your continuous integration (CI) and continuous deployment (CD) pipelines for maximum effectiveness.

5. Stay Informed: Stay updated with the latest news and reports on security vulnerabilities or malware incidents related to npm modules. Follow trusted sources, security forums, and advisory lists to receive timely information about emerging threats and recommended actions.

Remember, the responsibility for securing our projects lies with us as developers. By being proactive, vigilant, and implementing the best practices outlined above, we can mitigate the risks associated with malware-infected npm modules.
Stay safe, keep your codebase secure, and happy coding!

To know more - subscribe to the Tech Read channel in Telegram.
Also I’ll add a link with the article “Five Packages And Their Evil Install Scripts”.
Likes, shares and recommendations are welcome.

#npm #security #javascript

Links:
https://blog.sandworm.dev/dissecting-npm-malware-five-packages-and-their-evil-install-scripts