npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2024 – Pkg Stats / Ryan Hefner

@financial-times/secret-squirrel

v2.21.1

Published

![Secret Squirrel](http://vignette1.wikia.nocookie.net/secretsquirrel/images/1/16/Secretsquirrel.png 'Secret Squirrel')

Downloads

3,231

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

robertboultonrobertboultonseraph2000seraph2000hamza.samihhamza.samihnotleenotleeemmalewisemmalewisaendraaendrathe-ftthe-ftrowanmanningrowanmanningcheecheealexwilsonalexwilson

Keywords

Readme

Secret Squirrel

Secret Squirrel

This is like AWS's git-secrets but better.

Navigation

Getting Started

To add Secret Squirrel to your project run:

npm install --save-dev @financial-times/secret-squirrel husky

(Note that the above command also installs husky. It's a tool that lets you manage git hooks. https://github.com/typicode/husky)

Next, add the secret-squirrel precommit hook as a script in package.json.

	"scripts": {
		"precommit": "secret-squirrel"
	}

Note: If you're in Next, we recommend linting on commit and unit testing on push:

	"scripts": {
		"precommit": "make verify -j3 && secret-squirrel",
		"prepush": "make unit-test"
	}

That's it. From this point on, you can't commit any code that breaks the rules.

$ git commit
running bin/pre-commit.js script
executing task "secret-squirrel"

server/search.js:5:fetch(url, { headers: { x-api-key: 'a69c65f3-0db7...' } })

DENIED FILES

.env

DENIED STRINGS

file: server/search.js
line number: 5
full line: fetch(url, { headers: { x-api-key: 'a69c65f3-0db7...' } })
deny match: a69c65f3-0db7...
deny rule: [a-z0-9]{8}-[a-z0-9]{4}-[a-z0-9]{4}-[a-z0-9]{4}-[a-z0-9]{12}

Error: denied strings found

*** WARNING!!!! ***

"Resolve the above. For any potential secrets found, remove them from the code, allow them in project's secret-squirrel.cjs, or tweak the global rules in https://github.com/Financial-Times/secret-squirrel/blob/master/global-rules.js

We are removing the files from the commit if added

Protip: run `secret-squirrel init` to autogenerate the config with the matches for you to thoroughly check before committing to Git B)

Any problems, please contact the Enabling Technologies Group (#etg)"

*******************

"pre-commit You've failed to pass all the hooks."

You cannot. Facepalm.

Teddy bear doing a facepalm

Can I add project-specific rules?

You can! Ask Secret Squirrel to autogenerate a config with any secrets it finds for you to thoroughly check & adjust before committing to Git:

secret-squirrel init

N.B: This command will always create a config file with .cjs extension and the reason for that is to avoid any future issues that may arise due to migrating your project from CommonJS to ES modules or vice versa.

Look in global rules for some inspiration. You do not need to specify the starting (^), ending ($) or boundary (\b) because Secret Squirrel already adds them.

Protip: do not commit the config if it contains actual secrets (!)

What are the global rules?

See the global rules. Want changes? Please submit a PR and ask in #etg for someone to approve.

Credit to Adam Braimbridge for coming up with the Secret Squirrel name

Local Development

Prerequisites

Ensure you have the following tools and libraries installed:

Installation & Configuration

Execute the following commands to clone the repo, install dependencies and configure a local copy of the application:

$ git clone [email protected]:Financial-Times/secret-squirrel.git
$ cd secret-squirrel
make install   // To install the dependencies

Ensure you always create a new branch which is named after the ticket you are working on.

Testing

To confirm the application runs as expected, you can execute a test pack via the following command:

make test

Coding Standards

We drive secure maintainable code through the use of ESlint, Prettier and Snyk via regular execution of the following commands:

make verify             # Apply code formatting and highlight syntax errors
snyk wizard             # Check for and correct security vulnerabilities

Commits and Pull Requests

Commit frequently to enable early visibility of your code for pairing and formal review.

Every git code push will confirm adherence to coding standards by running the verify and command mentioned above.

Any failures must be corrected before the code will be applied to the repository.

If you need to share any incomplete/incorrect code you may use the git --no-verify option during code push to temporarily bypass the checks.

Deploying the application

After merging to main add a semver tag in order to release to production. Other tags or tags missing the v prefix will not cause a deployment.

This should be done through Github releases!