Create a gist now

Instantly share code, notes, and snippets.

@m13 /npmSecurityCheck.js Secret
Last active Dec 18, 2015

What would you like to do?
Use this script in your pre-git-hook-commit or wherever to see information (shrinkwrap, url-registry, dependency statistics) of your nodejs project. Helpful to detect some npm risk or security behaviours. REMEMBER: 1) You need npm & async 2) Do not use this script in the same folder as your app, because it will detect "npm" and "async" as your p…
#!/usr/bin/env node
var npm = require('npm');
var fs = require('fs');
var async = require('async');
var red = '\033[31m';
var blue = '\033[34m';
var reset = '\033[0m';
function print(msg, status, advice) {
var msg = ' * ' + msg + ': ';
msg += (status) ? blue + 'OK' : red + advice;
console.log(msg + reset);
}
console.log(' # Sergio Arcos @ nodesecurity.io # ');
npm.load([], function (er, npm) {
var dependencyStatistics = function (callback) {
var oldwrite = process.stdout.write;
process.stdout.write = function (data) {
process.stdout.write = oldwrite;
function next(info) {
print('How many dependencies?',
false,
info.length);
info.sort();
console.log('Dependency summary: (sorted)');
for (var i in info)
console.log(info[i].join('\t'));
callback();
}
var info = [];
(function rec(data) {
if (data.length === 0)
return next(info);
var line = data.pop().match('([a-z0-9\-\.]*)@([0-9]*\.[0-9]*\.[0-9]*.*\)');
if (line === null)
return rec(data);
npm.commands.view([line[1] + '@' + line[2], 'time'], true, function (err, times) {
if (typeof times[line[2]] != 'undefined')
info.push([ times[line[2]]['time'][line[2]], line[2], line[1] ]);
rec(data);
});
})(data.split('\n'));
}
npm.commands.ls([], function (err, data) {
});
};
var npmRegistry = function (callback) {
var registry = npm.config.get('registry');
print('Is your npm-registry by default?',
registry === 'https://registry.npmjs.org/',
registry);
callback();
};
var shrinkwrap = function (callback) {
print('Is npm-shrinkwrap.json?',
fs.existsSync('./npm-shrinkwrap.json'),
'Seal your version with $ npm shrinkwrap'
);
callback();
};
async.series([
shrinkwrap,
npmRegistry,
dependencyStatistics
], function() {
console.log('Done!');
});
});
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment