Skip to content

Instantly share code, notes, and snippets.

@miglen
Created February 10, 2021 11:55
Show Gist options
  • Save miglen/1caf19ace61e33e3e7d1c29acb648e37 to your computer and use it in GitHub Desktop.
Save miglen/1caf19ace61e33e3e7d1c29acb648e37 to your computer and use it in GitHub Desktop.
Dirty check for non existing public npm dependencies
#!/bin/env python3
# https://www.bleepingcomputer.com/news/security/researcher-hacks-over-35-tech-firms-in-novel-supply-chain-attack/
# The following script finds all package.json files in the current dir and checks if there are referenced any
# dependencies that no public package is available for, making your application vulnerable to supply-chain attack.
# Simply run ./packagejson.py in your root repository direcotory.
import json
import requests
from pathlib import Path
import urllib.parse
def scan_package(file="./package.json"):
with open(file, "r") as f:
data = json.load(f)
dep_keys = ["dependencies", "devDependencies", "peerDependencies",
"bundledDependencies", "optionalDependencies"]
print(f"Checking file {file}")
for dep in dep_keys:
if dep in data.keys():
for depen in data[dep]:
package = urllib.parse.quote_plus(depen)
if requests.get(f"https://api.npms.io/v2/package/{package}").status_code != 200:
print(f"{file} - {dep} - {depen}")
for path in Path('./').rglob('package.json'):
scan_package(path)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment