Gathering detailed insights and metrics for @shopify/react-csrf
Gathering detailed insights and metrics for @shopify/react-csrf
Installations
npm install @shopify/react-csrfScore
81.3
Supply Chain
75.2
Quality
83.6
Maintenance
100
Vulnerability
100
License
Releases
817
@shopify/web-worker@6.4.0
@shopify/web-worker@6.4.0
Published on 24 Sept 2024
@shopify/react-web-worker@5.1.6
@shopify/react-web-worker@5.1.6
Published on 24 Sept 2024
@shopify/react-web-worker@5.1.5
@shopify/react-web-worker@5.1.5
Published on 13 Sept 2024
@shopify/jest-koa-mocks@5.3.1
@shopify/jest-koa-mocks@5.3.1
Published on 13 Sept 2024
@shopify/web-worker@6.3.1
@shopify/web-worker@6.3.1
Published on 13 Sept 2024
@shopify/react-performance@4.1.1
@shopify/react-performance@4.1.1
Published on 13 Sept 2024
Developer
Shopify
Developer Guide
BETA
Module System
CommonJS, ESM
Min. Node Version
>=18.12.0
Typescript Support
Yes
Node Version
18.20.3
NPM Version
10.7.0
Statistics
1,699 Stars
4,968 Commits
222 Forks
390 Watching
249 Branches
7,063 Contributors
Updated on 19 Nov 2024
Bundle Size
467.00 B
Minified
292.00 B
Minified + Gzipped
Languages
TypeScript (96.38%)
Ruby (2.34%)
JavaScript (1.23%)
Shell (0.02%)
CSS (0.02%)
Total Downloads
Cumulative downloads
Total Downloads
6,486,075
Last day
-93.4%
115
Compared to previous day
Last week
-48.7%
4,088
Compared to previous week
Last month
-28.8%
69,053
Compared to previous month
Last year
-43.1%
1,157,835
Compared to previous year
Daily Downloads
Weekly Downloads
Monthly Downloads
Yearly Downloads
Peer Dependencies
1
Dev Dependencies
1
Versions
[!CAUTION] Quilt is no longer maintained. The packages listed below are deprecated.
Functionality can be replaced with more modern and maintained open source projects, or implemented in userland along side the latest versions of koa/react/etc.
Shopifolk, see Shopify/quilt-internal for information on the latest packages available for use internally.
Quilt
A loosely related set of packages for JavaScript/TypeScript projects at Shopify.
These libraries compose together to help you create performant modern JS apps that you love to develop and test. These packages are developed primarily to be used on top of the stack we like best for our JS apps; Typescript for the flavor, Koa for the server, React for UI, Apollo for data fetching, and Jest for tests. That said, you can mix and match as you like.
⚠️ Over the past few years, this repo has become a dumping ground for a variety of packages unrelated to the core problems Quilt, and it's stewards - the Admin Web Foundation team - aims to solve. Before submitting a pull request, please speak with the Admin Web Platform team on guidance as to whether a package might belong in Quilt. The Admin Web Platform team's focus is on the web codebase. If you're proposing a package that has not already been widely used in the web codebase then it is unlikely that it would be merged into Quilt.
Usage
The Quilt repo is managed as a monorepo that is composed of 67 npm packages and one Ruby gem.
Each package/gem has its own README.md and documentation describing usage.
Package Index
| Package | Version | Status | Description |
|---|---|---|---|
| @shopify/address |  | ⚠️ Deprecated | Address utilities for formatting addresses |
| @shopify/address-consts |  | ⚠️ Deprecated | Constants and types relating to @shopify/address |
| @shopify/address-mocks |  | ⚠️ Deprecated | Address mocks for @shopify/address |
| @shopify/admin-graphql-api-utilities |  | ⚠️ Deprecated | A set of utilities to use when consuming Shopify’s admin GraphQL API |
| @shopify/async |  | ⚠️ Deprecated | Primitives for loading parts of an application asynchronously |
| @shopify/browser |  | ⚠️ Deprecated | Utilities for extracting browser information from user-agents |
| @shopify/csrf-token-fetcher |  | ⚠️ Deprecated | JavaScript utility function to fetch the CSRF token required to make requests to a Rails server |
| @shopify/css-utilities |  | ⚠️ Deprecated | A set of CSS styling-related utilities |
| @shopify/dates |  | ⚠️ Deprecated | Lightweight date operations library |
| @shopify/function-enhancers |  | ⚠️ Deprecated | A set of helpers to enhance functions |
| graphql-config-utilities |  | ⚠️ Deprecated | Common utilities for graphql-config |
| graphql-fixtures |  | ⚠️ Deprecated | Utilities for generating fixture objects from GraphQL documents. |
| graphql-mini-transforms |  | ⚠️ Deprecated | Transformers for importing .graphql files in various build tools. |
| @shopify/graphql-testing |  | ⚠️ Deprecated | Utilities to create mock GraphQL factories |
| graphql-tool-utilities |  | ⚠️ Deprecated | Common utilities for GraphQL developer tools |
| graphql-typed |  | ⚠️ Deprecated | A more strongly typed version of GraphQL's DocumentNode. |
| graphql-typescript-definitions |  | ⚠️ Deprecated | Generate TypeScript definition files from .graphql documents |
| @shopify/i18n |  | ⚠️ Deprecated | Generic i18n-related utilities |
| @shopify/jest-dom-mocks |  | ⚠️ Deprecated | Jest mocking utilities for working with the DOM |
| @shopify/jest-koa-mocks |  | ⚠️ Deprecated | Utilities to easily stub Koa context and cookies |
| @shopify/koa-liveness-ping |  | ⚠️ Deprecated | A package for creating liveness ping middleware for use with Koa |
| @shopify/koa-metrics |  | ⚠️ Deprecated | Aims to provide standard middleware and instrumentation tooling for metrics in Koa |
| @shopify/koa-performance |  | ⚠️ Deprecated | Creating middleware that sends performance-related data through StatsD |
| @shopify/koa-shopify-graphql-proxy |  | ⚠️ Deprecated | A wrapper around koa-better-http-proxy which allows easy proxying of GraphQL requests from an embedded Shopify app |
| @shopify/koa-shopify-webhooks |  | ⚠️ Deprecated | Receive webhooks from Shopify with ease |
| @shopify/mime-types |  | ⚠️ Deprecated | MIME type consistency |
| @shopify/name |  | ⚠️ Deprecated | Name-related utilities |
| @shopify/network |  | ⚠️ Deprecated | Common values related to dealing with the network |
| @shopify/performance |  | ⚠️ Deprecated | Primitives for collecting browser performance metrics |
| @shopify/phone |  | ⚠️ Deprecated | Phone number utilities for formatting phone numbers |
| @shopify/polyfills |  | ⚠️ Deprecated | Blessed polyfills for web platform features |
| @shopify/predicates |  | ⚠️ Deprecated | A set of common JavaScript predicates |
| @shopify/react-async |  | ⚠️ Deprecated | Tools for creating powerful, asynchronously-loaded React components |
| @shopify/react-bugsnag |  | ⚠️ Deprecated | An opinionated wrapper for Bugsnag's React plugin |
| @shopify/react-compose |  | ⚠️ Deprecated | Cleanly compose multiple component enhancers together with minimal fuss |
| @shopify/react-cookie |  | ⚠️ Deprecated | Cookies in React for the server and client |
| @shopify/react-csrf |  | ⚠️ Deprecated | Share CSRF tokens throughout a React application |
| @shopify/react-csrf-universal-provider |  | ⚠️ Deprecated | A self-serializing/deserializing CSRF token provider that works for isomorphic applications |
| @shopify/react-effect |  | ⚠️ Deprecated | A component and set of utilities for performing effects within a universal React app |
| @shopify/react-form |  | ⚠️ Deprecated | Manage React forms tersely and safely-typed with no magic using React hooks |
| @shopify/react-form-state |  | ⚠️ Deprecated | Manage React forms tersely and type-safely with no magic |
| @shopify/react-google-analytics |  | ⚠️ Deprecated | Allows React apps to easily embed Google Analytics scripts |
| @shopify/react-graphql |  | ⚠️ Deprecated | Tools for creating type-safe and asynchronous GraphQL components for React |
| @shopify/react-graphql-universal-provider |  | ⚠️ Deprecated | A self-serializing/deserializing GraphQL provider that works for isomorphic applications |
| @shopify/react-hooks |  | ⚠️ Deprecated | A collection of primitive React hooks |
| @shopify/react-html |  | ⚠️ Deprecated | A component to render your React app with no static HTML |
| @shopify/react-hydrate |  | ⚠️ Deprecated | Utilities for hydrating server-rendered React apps |
| @shopify/react-i18n |  | ⚠️ Deprecated | i18n utilities for React handling translations, formatting, and more |
| @shopify/react-i18n-universal-provider |  | ⚠️ Deprecated | A self-serializing/deserializing i18n provider that works for isomorphic applications |
| @shopify/react-idle |  | ⚠️ Deprecated | Utilities for working with idle callbacks in React |
| @shopify/react-import-remote |  | ⚠️ Deprecated | Asynchronous script loading for React |
| @shopify/react-intersection-observer |  | ⚠️ Deprecated | A React wrapper around the Intersection Observer API |
| @shopify/react-network |  | ⚠️ Deprecated | A collection of components that allow you to set common HTTP headers from within your React application |
| @shopify/react-performance |  | ⚠️ Deprecated | Primitives to measure your React application's performance using @shopify/performance |
| @shopify/react-router |  | ⚠️ Deprecated | A universal router for React |
| @shopify/react-server |  | ⚠️ Deprecated | Utilities for React server-side rendering |
| @shopify/react-shortcuts |  | ⚠️ Deprecated | Declaratively and efficiently match shortcut combinations in your React application |
| @shopify/react-testing |  | ⚠️ Deprecated | A library for testing React components according to our conventions |
| @shopify/react-universal-provider |  | ⚠️ Deprecated | Factory function and utilities to create self-serializing/deserializing providers that work for isomorphic applications |
| @shopify/react-web-worker |  | ⚠️ Deprecated | A hook for using web workers in React applications |
| @shopify/semaphore |  | ⚠️ Deprecated | Counting semaphore |
| @shopify/sewing-kit-koa |  | ⚠️ Deprecated | Easily access Sewing Kit assets from a Koa server |
| @shopify/statsd |  | ⚠️ Deprecated | An opinionated StatsD client for Shopify Node.js servers and other StatsD utilities |
| @shopify/storybook-a11y-test |  | ⚠️ Deprecated | Test storybook pages with axe and puppeteer |
| @shopify/useful-types |  | ⚠️ Deprecated | A few handy TypeScript types |
| @shopify/web-worker |  | ⚠️ Deprecated | Tools for making web workers fun to use |
| @shopify/with-env |  | ⚠️ Deprecated | A utility for executing code under a specific NODE_ENV |
Gem Index
| Gem | Version | Status | Description |
|---|---|---|---|
| quilt_rails |  | ⚠️ Deprecated | A turn-key solution for integrating server-rendered React into your Rails app using Quilt libraries. |
Want to contribute?
Check out our Contributing Guide
Questions?
For Shopifolk, you can reach out to us in Slack in the #help-admin-web-platform channel. For external inquiries, we welcome bug reports, enhancements, and feature requests via GitHub issues.
License
MIT © Shopify, see LICENSE.md for details.
No vulnerabilities found.
Reason
all changesets reviewed
Reason
30 commit(s) and 3 issue activity found in the last 90 days -- score normalized to 10
Reason
license file detected
Details
- Info: project has a license file: LICENSE.md:0
- Info: FSF or OSI recognized license: MIT License: LICENSE.md:0
Reason
no dangerous workflow patterns detected
Reason
no binaries found in the repo
Reason
security policy file detected
Details
- Info: security policy file detected: github.com/Shopify/.github/SECURITY.md:1
- Info: Found linked content: github.com/Shopify/.github/SECURITY.md:1
- Warn: One or no descriptive hints of disclosure, vulnerability, and/or timelines in security policy
- Info: Found text in security policy: github.com/Shopify/.github/SECURITY.md:1
Reason
8 existing vulnerabilities detected
Details
- Warn: Project is vulnerable to: GHSA-grv7-fg5c-xmjg
- Warn: Project is vulnerable to: GHSA-2p57-rm9w-gvfp
- Warn: Project is vulnerable to: GHSA-7fh5-64p2-3v2j
- Warn: Project is vulnerable to: GHSA-c2qf-rxjj-qqgw
- Warn: Project is vulnerable to: GHSA-w5p7-h5w8-2hfq
- Warn: Project is vulnerable to: GHSA-7p7h-4mm5-852v
- Warn: Project is vulnerable to: GHSA-wr3j-pwj9-hqq6
- Warn: Project is vulnerable to: GHSA-3h5v-q93c-6h6q
Reason
no effort to earn an OpenSSF best practices badge detected
Reason
detected GitHub workflow tokens with excessive permissions
Details
- Warn: no topLevel permission defined: .github/workflows/changelog.yml:1
- Warn: no topLevel permission defined: .github/workflows/cla.yml:1
- Warn: no topLevel permission defined: .github/workflows/node-ci.yml:1
- Warn: no topLevel permission defined: .github/workflows/release.yml:1
- Warn: no topLevel permission defined: .github/workflows/ruby-ci.yml:1
- Warn: no topLevel permission defined: .github/workflows/snapit.yml:1
- Info: no jobLevel write permissions found
Reason
dependency not pinned by hash detected -- score normalized to 0
Details
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/changelog.yml:20: update your workflow using https://app.stepsecurity.io/secureworkflow/Shopify/quilt/changelog.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/changelog.yml:25: update your workflow using https://app.stepsecurity.io/secureworkflow/Shopify/quilt/changelog.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/cla.yml:19: update your workflow using https://app.stepsecurity.io/secureworkflow/Shopify/quilt/cla.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/node-ci.yml:27: update your workflow using https://app.stepsecurity.io/secureworkflow/Shopify/quilt/node-ci.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/node-ci.yml:30: update your workflow using https://app.stepsecurity.io/secureworkflow/Shopify/quilt/node-ci.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/node-ci.yml:37: update your workflow using https://app.stepsecurity.io/secureworkflow/Shopify/quilt/node-ci.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:16: update your workflow using https://app.stepsecurity.io/secureworkflow/Shopify/quilt/release.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:21: update your workflow using https://app.stepsecurity.io/secureworkflow/Shopify/quilt/release.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:33: update your workflow using https://app.stepsecurity.io/secureworkflow/Shopify/quilt/release.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ruby-ci.yml:18: update your workflow using https://app.stepsecurity.io/secureworkflow/Shopify/quilt/ruby-ci.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/ruby-ci.yml:21: update your workflow using https://app.stepsecurity.io/secureworkflow/Shopify/quilt/ruby-ci.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/snapit.yml:16: update your workflow using https://app.stepsecurity.io/secureworkflow/Shopify/quilt/snapit.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/snapit.yml:19: update your workflow using https://app.stepsecurity.io/secureworkflow/Shopify/quilt/snapit.yml/main?enable=pin
- Warn: npmCommand not pinned by hash: .github/workflows/node-ci.yml:50
- Warn: npmCommand not pinned by hash: .github/workflows/release.yml:28
- Info: 0 out of 9 GitHub-owned GitHubAction dependencies pinned
- Info: 0 out of 4 third-party GitHubAction dependencies pinned
- Info: 0 out of 2 npmCommand dependencies pinned
Reason
project is not fuzzed
Details
- Warn: no fuzzer integrations found
Reason
SAST tool is not run on all commits -- score normalized to 0
Details
- Warn: 0 commits out of 30 are checked with a SAST tool
Score
5.7
/10
Last Scanned on 2024-07-01
The Open Source Security Foundation is a cross-industry collaboration to improve the security of open source software (OSS). The Scorecard provides security health metrics for open source projects.
Learn More