DOCSLIB.ORG

Drupal8 Development Standards

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Drupal8 Development Standards DRUPAL8 DEVELOPMENT STANDARDS Coding Standard and Best Practices Abstract This document covers best practices to be followed by all developers who will be working on development and implementation of a Drupal8 CMS on Acquia platform for UNICEF. ICTD-Solution Center and Services Table of Contents 1 Executive summary ......................................................................................................................... 3 2 List of standardized tools which should be used while working on Drupal8 Project...................... 4 3 Creating a new Drupal8 codebase .................................................................................................. 4 4 Drupal 8 implementation structure (where do I find what) ........................................................... 5 4.1 Directory Structure ................................................................................................................ 5 4.2 Install Profile .......................................................................................................................... 5 4.3 Modules ................................................................................................................................. 5 4.4 Themes .................................................................................................................................. 6 4.5 Test directory structure ......................................................................................................... 6 5 Coding standards ............................................................................................................................ 7 6 Theme standards ............................................................................................................................ 7 7 Automated Testing .......................................................................................................................... 7 7.1 Coding standard Test ............................................................................................................. 7 7.2 Functional Test ...................................................................................................................... 7 8 Git Usage and workflow .................................................................................................................. 8 8.1 Pull Requests, commits and Code Review Guidelines ........................................................... 8 8.2 Naming Conventions when using Git .................................................................................... 9 8.3 Developer Workflow .............................................................................................................. 9 8.4 Deployment Via BLT ............................................................................................................ 10 9 Best practices for project/website development ......................................................................... 10 9.1 Composer Dependencies ..................................................................................................... 10 9.2 Configuration Management ................................................................................................ 11 9.3 Custom Code ....................................................................................................................... 11 9.4 Updates................................................................................................................................ 11 9.5 Variables naming ................................................................................................................. 11 9.6 Theme best practices ............................................................................................................................... 12 9.7 Definition of DONE during development process ............................................................... 12 10 Best practices for PR code review ............................................................................................ 12 10.1 Preparation steps ................................................................................................................ 12 10.2 General checks ..................................................................................................................... 13 10.3 JavaScript-related checks .................................................................................................... 13 10.4 Twig-related checks ............................................................................................................. 13 10.5 CSS and Sass-related checks ................................................................................................ 13 10.6 PHP-related checks .............................................................................................................. 14 10.7 YAML-related checks ........................................................................................................... 14 10.8 Automated Checks ............................................................................................................... 14 10.9 Definition of DONE during code review process ................................................................. 15 11 Resources & additional information ........................................................................................ 15 1 Executive summary The purpose of this document is to provide guidelines, recommendations and the minimum mandatory requirements, which should apply to any Drupal 8 CMS based implementation using the Acquia platform and authored by or under the responsibility of any UNICEF office. UNICEF development standards are built to ensure a coherent and cohesive Drupal 8 implementation strategy across the organization as well as better quality, robustness and maintainability during development, launch and post-launch. UNICEF development standards require the use of Acquia BLT framework with Drupal native configuration management. Using Acquia BLT enforces the development to use a set of tools, such as Composer and NPM as the dependency management tools, and a Continuous Integration tool (such as Travis). In addition, UNICEF highly recommends the use of a Drupal VM for easier integration with BLT. UNICEF requires to use configuration management approach (file-based) instead of regular SQL database storage, in order to benefit from a versioning system for configuration in any Drupal 8 implementation. In order to enable easier compliance of these standards, UNICEF will provide a Composer file, which will include the list of approved Drupal modules. This Composer file will be required to be used to create the project. In addition, UNICEF will provide a private Github repository under UNICEF Github organization account where all development should happen. Regular audits might be performed by UNICEF technical team to ensure compliance of UNICEF development standards. Additional requirements, guidelines and best practices are found in the document below. 2 List of standardized tools which should be used while working on Drupal8 Project The below list includes a (non-exhaustive) list of required and recommended tools to be used in any Drupal 8 implementation. Name of tool Description Ticketing/Project UNICEF highly recommends the use of a project tracking tool which support tracking software agile/scrum based projects (e.g. VSTS, Github Issues, JIRA) tool Github UNICEF requires the use of Github as the control versioning tool. Acquia BLT UNICEF requires the use of Acquia BLT for deployment, build and test. Continuous UNICEF highly recommends the use of Travis CI for seamless integration with Integration Acquia BLT. Bootstrap UNICEF requires the use of Bootstrap as the base theme Acquia Lightning UNICEF requires the use of Acquia lightning distribution profile. distribution 3 Creating a new Drupal8 codebase UNICEF requires to use composer to manage dependencies with the codebase. For creating a new Drupal8 codebase, UNICEF will provide composer files. Any deviation from the included core and contributed modules and versions will have to communicated/coordinated with UNICEF development team for approval before implementation. Please note that UNICEF composer includes Acquia BLT framework to manage and deploy code and database, as well as Acquia lightning distribution and additional contributed modules those are approved by UNICEF. UNICEF standards highly recommends the use of Drupal VM, as it provides a self contained environment for local development. More information is found at https://www.drupalvm.com/ UNICEF standards requires the use of Drupal native configuration management approach (file- based), as it provides a versioning system for configuration instead of regular SQL database storage. More information on configuration management is found at https://www.drupal.org/docs/8/configuration-management 4 Drupal 8 implementation structure (where do I find what) This section describes the required implementation architecture structure that should be followed: 4.1 Directory Structure Top-Level directories /blt /config /docroot /composer.json /travis.yml Second-level directories /docroot/modules/ /docroot/profiles/ /docroot/sites/ /docroot/themes/ 4.2 Install Profile Install profile in Drupal 8 has all the functionality of modules, including access to hooks and plugins and, critically, the ability to provide configuration for the site in the form of .yml files. The profile name should consist of lowercase
Load more

Recommended publications
  • Rekstrarhandbók
    Vorönn 2017 T-404-LOKA, Lokaverkefni Rekstrarhandbók Ingþór Birkir Árnason Jan Hinrik Hansen Logi Guðmann Þorgrímur Jónasarson Kennari: Hallgrímur Arnalds Leiðbeinandi: Sigurjón Ingi Garðarsson Prófdómari: Símon Óttar Vésteinsson 12. maí 2017 Efnisyfirlit 1 Framendi 3 1.1 Dependencies 3 1.2 Uppsetning 3 1.3 Keyrsla 3 1.4 ESLint 4 1.5 Stílar 5 1.5.1 BEM - Block Element Modifier 5 1.5.2 StyleLint 5 1.5.3 Gulp task 5 2 Bakendi 6 2.1 Dependencies 6 2.2 Uppsetning 6 2.3 Handhægar upplýsingar 8 2.3.1 Admin aðgangur 8 2.3.2 Postman 8 2.4 PHPUnit 8 2.5 Documentation 9 3 Forritunarreglur 9 3.1 Almennar reglur 9 3.2 VueJS 9 3.3 CSS 10 3.4 PHP - Laravel 11 2 1 Framendi Framendinn er skrifaður í Vue.js með vue-webpack-boilerplate (https://github.com/vuejs-templates/webpack) sem grunn. ​ ​ 1.1 Dependencies Til þess að geta keyrt framendann er nauðsynlegt að hafa node og node package manager (npm). Hægt er að sækja node.js ásamt npm á Node.js heimasíðunni (https://nodejs.org/en/). ​ ​ 1.2 Uppsetning 1.) Sækja git repository-ið. git clone https://github.com/toggi737/Lokaverkefni_vue.git 2.) Setja upp nauðsynleg dependencies í gegnum npm. npm install 3.) Búa til dev.env.js skrá sem að inniheldur stillingar fyrir þína vél. Nauðsynlegt er að búa til dev.env.js skrá undir config möppunni sem að inniheldur upplýsingar um þann API sem að þú vilt nota. Það er hægt að gera með því að keyra cp dev.env.js.example dev.env.js í config möppunni.
    [Show full text]
  • Learning React Functional Web Development with React and Redux
    Learning React Functional Web Development with React and Redux Alex Banks and Eve Porcello Beijing Boston Farnham Sebastopol Tokyo Learning React by Alex Banks and Eve Porcello Copyright © 2017 Alex Banks and Eve Porcello. All rights reserved. Printed in the United States of America. Published by O’Reilly Media, Inc., 1005 Gravenstein Highway North, Sebastopol, CA 95472. O’Reilly books may be purchased for educational, business, or sales promotional use. Online editions are also available for most titles (http://oreilly.com/safari). For more information, contact our corporate/insti‐ tutional sales department: 800-998-9938 or [email protected]. Editor: Allyson MacDonald Indexer: WordCo Indexing Services Production Editor: Melanie Yarbrough Interior Designer: David Futato Copyeditor: Colleen Toporek Cover Designer: Karen Montgomery Proofreader: Rachel Head Illustrator: Rebecca Demarest May 2017: First Edition Revision History for the First Edition 2017-04-26: First Release See http://oreilly.com/catalog/errata.csp?isbn=9781491954621 for release details. The O’Reilly logo is a registered trademark of O’Reilly Media, Inc. Learning React, the cover image, and related trade dress are trademarks of O’Reilly Media, Inc. While the publisher and the authors have used good faith efforts to ensure that the information and instructions contained in this work are accurate, the publisher and the authors disclaim all responsibility for errors or omissions, including without limitation responsibility for damages resulting from the use of or reliance on this work. Use of the information and instructions contained in this work is at your own risk. If any code samples or other technology this work contains or describes is subject to open source licenses or the intellectual property rights of others, it is your responsibility to ensure that your use thereof complies with such licenses and/or rights.
    [Show full text]
  • React.Pdf Email: [email protected] Twitter: @Mark Volkmann Github: Mvolkmann Website
    Say “No” to Complexity! Mark Volkmann, Object Computing, Inc. http://ociweb.com/mark/MidwestJS/react.pdf Email: [email protected] Twitter: @mark_volkmann https://github.com/mvolkmann/react-examples GitHub: mvolkmann Website: http://ociweb.com/mark Copyright © 2015-2016 by Object Computing, Inc. (OCI) All rights reserved Intro. Meaning behind the talk title - 2 kinds of complexity other frameworks state management approaches: thunks, sagas, epics, effects, GraphQL, Relay, Falcor, ... Why are the slides so dense? Copyright © 2015-2016 by Object Computing, Inc. (OCI) React All rights reserved 2 What is OCI? Software development (on-site and off-site), consulting, and training Home of Grails, “An Open Source high-productivity framework for building fast and scalable web applications” Open Source Transformation Services helping clients move from commercial to open source software Industrial Internet of Things (IIoT) DevOps Copyright © 2015-2016 by Object Computing, Inc. (OCI) React All rights reserved 3 Overview ... Web app library from Facebook As of 8/6/16, React was reportedly used by Airbnb, Angie’s List, http://facebook.github.io/react/ Atlasssian, BBC, Capitol One, Clash of Focuses on view portion Clans, Codecademy, Coursera, Docker, Dropbox, Expedia, Facebook, Feedly, not full stack like other frameworks such as AngularJS and EmberJS Flipboard, HipChat, IMDb, Instagram, Intuit, Khan Academy, Lyft, New York use other libraries for non-view functionality Times, NFL, NHL, Netflix, Paypal, some are listed later Periscope, Reddit, Salesforce, Squarespace, Tesla Motors, Twitter, “One-way reactive data flow” Uber, Visa, WhatsApp, Wired, Wolfrum UI reacts to “state” changes Alpha, Wordpress, Yahoo, Zendesk, and many more. not two-way data binding like in AngularJS 1 Source: https://github.com/facebook/ what triggered a digest cycle? react/wiki/Sites-Using-React should I manually trigger it? easier to follow flow of data events -> state changes -> component rendering Copyright © 2015-2016 by Object Computing, Inc.
    [Show full text]
  • Guide to Secure Software Development in Ruby
    Fedora Security Team Secure Ruby Development Guide Guide to secure software development in Ruby Ján Rusnačko Secure Ruby Development Guide Fedora Security Team Secure Ruby Development Guide Guide to secure software development in Ruby Edition 1 Author Ján Rusnačko [email protected] Copyright © 2014 Ján Rusnačko. The text of and illustrations in this document are licensed by Red Hat under a Creative Commons Attribution–Share Alike 3.0 Unported license ("CC-BY-SA"). An explanation of CC-BY-SA is available at http://creativecommons.org/licenses/by-sa/3.0/. The original authors of this document, and Red Hat, designate the Fedora Project as the "Attribution Party" for purposes of CC-BY-SA. In accordance with CC-BY-SA, if you distribute this document or an adaptation of it, you must provide the URL for the original version. Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law. Red Hat, Red Hat Enterprise Linux, the Shadowman logo, JBoss, MetaMatrix, Fedora, the Infinity Logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries. For guidelines on the permitted uses of the Fedora trademarks, refer to https://fedoraproject.org/wiki/ Legal:Trademark_guidelines. Linux® is the registered trademark of Linus Torvalds in the United States and other countries. Java® is a registered trademark of Oracle and/or its affiliates. XFS® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United States and/or other countries.
    [Show full text]
  • WEB2PY Enterprise Web Framework (2Nd Edition)
    WEB2PY Enterprise Web Framework / 2nd Ed. Massimo Di Pierro Copyright ©2009 by Massimo Di Pierro. All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning, or otherwise, except as permitted under Section 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600, or on the web at www.copyright.com. Requests to the Copyright owner for permission should be addressed to: Massimo Di Pierro School of Computing DePaul University 243 S Wabash Ave Chicago, IL 60604 (USA) Email: [email protected] Limit of Liability/Disclaimer of Warranty: While the publisher and author have used their best efforts in preparing this book, they make no representations or warranties with respect to the accuracy or completeness of the contents of this book and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose. No warranty may be created ore extended by sales representatives or written sales materials. The advice and strategies contained herein may not be suitable for your situation. You should consult with a professional where appropriate. Neither the publisher nor author shall be liable for any loss of profit or any other commercial damages, including but not limited to special, incidental, consequential, or other damages. Library of Congress Cataloging-in-Publication Data: WEB2PY: Enterprise Web Framework Printed in the United States of America.
    [Show full text]
  • Original.Pdf
    Rails Security Primer I am not a software security expert CVE? Common Vulnerabilities and Exposures Vulnerability A weakness that an attacker can use to exploit a system Exploit A piece of software that exploits a vulnerability to achieve unintended or unanticipated behavior CVE-2012-5664 SQL Injection Vulnerability SQL Injection Vulnerability …but only exploitable if you used Authlogic or find_by_* methods in a certain way A cookie like { "session_id" => "41414141", "user_credentials" => "Phenoelit", "user_credentials_id" => { :select=> " *,\"Phenoelit\" as persistence_token from users -- " } } …would create a query like this User.find_by_id(params[:user_credendtials_id]) …would create a query like this User.find_by_id(params[:user_credendtials_id]) User.find_by_id({:select =>"*,\"Phenoelit\" as persistence_token from users --"}) …would create a query like this User.find_by_id(params[:user_credendtials_id]) User.find_by_id({:select =>"*,\"Phenoelit\" as persistence_token from users --"}) SELECT *,"Phenoelit" as persistence_token from users -- FROM "users" WHERE "users"."id" IS NULL LIMIT 1 Blood in the water… CVE-2013-0155 CVE-2013-0156 CVE-2013-0269 CVE-2013-0333 CVE-2013-0155 "Unsafe Query Generation Risk in Ruby on Rails" def reset_password if (@user = User.find_by_token(params[:token])) @user.reset_password! render :json => 'Success' else render :json => 'Failure' end end # POST to http://localhost:3000/users/ reset_password with "{\"token\":[null]}" CVE-2013-0156 "Multiple vulnerabilities in parameter parsing in Action Pack" Content-Type:
    [Show full text]
  • Npm Packages As Ingredients: a Recipe-Based Approach
    npm Packages as Ingredients: a Recipe-based Approach Kyriakos C. Chatzidimitriou, Michail D. Papamichail, Themistoklis Diamantopoulos, Napoleon-Christos Oikonomou, and Andreas L. Symeonidis Electrical and Computer Engineering Dept., Aristotle University of Thessaloniki, Thessaloniki, Greece fkyrcha, mpapamic, thdiaman, [email protected], [email protected] Keywords: Dependency Networks, Software Reuse, JavaScript, npm, node. Abstract: The sharing and growth of open source software packages in the npm JavaScript (JS) ecosystem has been exponential, not only in numbers but also in terms of interconnectivity, to the extend that often the size of de- pendencies has become more than the size of the written code. This reuse-oriented paradigm, often attributed to the lack of a standard library in node and/or in the micropackaging culture of the ecosystem, yields interest- ing insights on the way developers build their packages. In this work we view the dependency network of the npm ecosystem from a “culinary” perspective. We assume that dependencies are the ingredients in a recipe, which corresponds to the produced software package. We employ network analysis and information retrieval techniques in order to capture the dependencies that tend to co-occur in the development of npm packages and identify the communities that have been evolved as the main drivers for npm’s exponential growth. 1 INTRODUCTION Given that dependencies and reusability have be- come very important in today’s software develop- The popularity of JS is constantly increasing, and ment process, npm registry has become a “must” along is increasing the popularity of frameworks for place for developers to share packages, defining code building server (e.g.
    [Show full text]
  • Azure Forum DK Survey
    #msdkpartner #msdkpartner Meeting Ground Rules Please post your questions in the chat – We aim to keep QnA at the end of each session Please mute yourself to ensure a good audio experience during presentations This meeting will be recorded #msdkpartner Today's Agenda 08:30 - 08:35​ Welcome​ 08:35 - 09:15 Best of Build 09:15 - 10:00​ Top 5 Reasons to chose azure (vs. on-premise) 10:05 - 10:25​ Azure in SMB ​ 10:25 - 10:30​ Closing #msdkpartner #msdkpartner Hello! I’m Sherry List Azure Developer Engagement Lead Microsoft You can find me at @SherrryLst | @msdev_dk DevOps with Azure, GitHub, and Azure DevOps 500M apps and microservices will be written in the next five years Source: IDC Developer Velocity 100x 200x 7x 8x faster to set up a more frequent fewer failures on more likely to have dev environment code deployments deployments integrated security Source: DORA / Sonatype GitHub Actions for Azure https://github.com/azure/actions Azure Pipelines AKS & k8s support YAML CI Pipelines YAML CD Pipelines Elastic self-hosted agents Community and Collaboration In modern applications 90% of the code comes Your Code from open source Open Source Most of that code lives on GitHub Sign up for Codespaces Preview today https://github.co/codespaces Security and Compliance 70 Security and Compliance 12 56 10 42 7 LOC (M) LOC 28 5 Security Issues (k) Issues Security 14 2 Lines of code Security threats 0 0 Apr Jul Oct Jan Apr Jul Oct Jan Apr Jul Oct Jan Apr Jul Oct Jan Apr Jul Oct Jan Apr 2015 2015 2015 2016 2016 2016 2016 2017 2017 2017 2017 2018 2018 2018
    [Show full text]
  • Means Nested Providers from the Real Client. for Example P->[email protected] Means That P2 Is the P’S Provider and P Is the Real Client’S Provider
    real client = the client package that we executed the release’s test. -> means nested providers from the real client. For example p->[email protected] means that p2 is the p’s provider and p is the real client’s provider. --------------------------------------------------------------------- 1) [email protected] changed a key in its code, that did not introduce an error, but it became incompatible with babel-eslint. The escope is not a babel-eslint’s provider. This error was fixed by [email protected], when its providers claimed that it should be fixed in babel-eslint. ● Issue in babel-eslint ● Issue in escope ● Pull-request in babel-eslint ● Fixed by provider babel-eslint, which is the provider of the real client. ● Category: incompatible providers version. 2) the real client has grunt-jslint->jslint@>=0.3.4 as its providers. The [email protected] started to use ES6 and moved all of ES5’s code to another file. The [email protected] did a downgrade in the jslint’s version. Specifically, the grunt-jslint uses the array JSLINT.error, which was moved to another file. jslint is a provider of grunt-jslint, and grunt-jslint is a provider of real client. ● Downgrade of jslint ● [email protected] diff ● [email protected] changelog ● Fixed by provider as client grunt-jslint, which is the client of jslint. ● Category: Feature change. 3) the real client has the [email protected] as its provider. The babel-preset-es2015-rollup has the babel-preset-es2015 as its provider, that is introducing an error.
    [Show full text]
  • Web Development Frameworks Ruby on Rails VS Google Web Toolkit
    Bachelor thesis Web Development Frameworks Ruby on Rails VS Google Web Toolkit Author: Carlos Gallardo Adrián Extremera Supervisor: Welf Löwe Semester: Spring 2011 Course code: 2DV00E SE-391 82 Kalmar / SE-351 95 Växjö Tel +46 (0)772-28 80 00 [email protected] Lnu.se/dfm Abstract Web programming is getting more and more important every day and as a consequence, many new tools are created in order to help developers design and construct applications quicker, easier and better structured. Apart from different IDEs and Technologies, nowadays Web Frameworks are gaining popularity amongst users since they offer a large range of methods, classes, etc. that allow programmers to create and maintain solid Web systems. This research focuses on two different Web Frameworks: Ruby on Rails and Google Web Toolkit and within this document we will examine some of the most important differences between them during a Web development. Keywords web frameworks, Ruby, Rails, Model-View-Controller, web programming, Java, Google Web Toolkit, web development, code lines i List of Figures Figure 2.1. mraible - History of Web Frameworks....................................................4 Figure 2.2. Java BluePrints - MVC Pattern..............................................................6 Figure 2.3. Libros Web - MVC Architecture.............................................................7 Figure 2.4. Ruby on Rails - Logo.............................................................................8 Figure 2.5. Windaroo Consulting Inc - Ruby on Rails Structure.............................10
    [Show full text]
  • FULLTEXT01.Pdf
    UPTEC F 18029 Examensarbete 30 hp Juni 2018 Investigation and Implementation of a Log Management and Analysis Framework for the Treatment Planning System RayStation Elias Norrby Abstract Investigation and Implementation of a Log Management and Analysis Framework for the Treatment Planning System RayStation Elias Norrby Teknisk- naturvetenskaplig fakultet UTH-enheten The purpose of this thesis is to investigate and implement a framework for log management and analysis tailored to the treatment planning system (TPS) Besöksadress: RayStation. A TPS is a highly advanced software package used in radiation Ångströmlaboratoriet Lägerhyddsvägen 1 oncology clinics, and the complexity of the software makes writing robust code Hus 4, Plan 0 challenging. Although the product is tested rigorously during development, bugs are present in released software. The purpose of the the framework is to allow the Postadress: RayStation development team insight into errors encountered in clinics by Box 536 751 21 Uppsala centralizing log file data recorded at clinics around the world. Telefon: A framework based on the Elastic stack, a suite of open-source products, is 018 – 471 30 03 proposed, addressing a set of known issues described as the access problem, the Telefax: processing problem, and the analysis problem. Firstly, log files are stored locally on 018 – 471 30 00 each machine running RayStation, some of which may not be connected to the Internet. Gaining access to the data is further complicated by legal frameworks Hemsida: such as HIPAA and GDPR that put constraints on how clinic data can be handled. http://www.teknat.uu.se/student The framework allows for access to the files while respecting these constraints.
    [Show full text]
  • Investigating the Reproducbility of NPM Packages
    Investigating the Reproducbility of NPM packages Pronnoy Goswami Thesis submitted to the Faculty of the Virginia Polytechnic Institute and State University in partial fulfillment of the requirements for the degree of Master of Science in Computer Engineering Haibo Zeng, Chair Na Meng Paul E. Plassmann May 6, 2020 Blacksburg, Virginia Keywords: Empirical, JavaScript, NPM packages, Reproducibility, Software Security, Software Engineering Copyright 2020, Pronnoy Goswami Investigating the Reproducbility of NPM packages Pronnoy Goswami (ABSTRACT) The meteoric increase in the popularity of JavaScript and a large developer community has led to the emergence of a large ecosystem of third-party packages available via the Node Package Manager (NPM) repository which contains over one million published packages and witnesses a billion daily downloads. Most of the developers download these pre-compiled published packages from the NPM repository instead of building these packages from the available source code. Unfortunately, recent articles have revealed repackaging attacks to the NPM packages. To achieve such attacks the attackers primarily follow three steps – (1) download the source code of a highly depended upon NPM package, (2) inject mali- cious code, and (3) then publish the modified packages as either misnamed package (i.e., typo-squatting attack) or as the official package on the NPM repository using compromised maintainer credentials. These attacks highlight the need to verify the reproducibility of NPM packages. Reproducible Build is a concept that allows the verification of build artifacts for pre-compiled packages by re-building the packages using the same build environment config- uration documented by the package maintainers. This motivates us to conduct an empirical study (1) to examine the reproducibility of NPM packages, (2) to assess the influence of any non-reproducible packages, and (3) to explore the reasons for non-reproducibility.
    [Show full text]