Skip to content

Instantly share code, notes, and snippets.

Created February 10, 2021 11:55
What would you like to do?
Dirty check for non existing public npm dependencies
#!/bin/env python3
# The following script finds all package.json files in the current dir and checks if there are referenced any
# dependencies that no public package is available for, making your application vulnerable to supply-chain attack.
# Simply run ./ in your root repository direcotory.
import json
import requests
from pathlib import Path
import urllib.parse
def scan_package(file="./package.json"):
with open(file, "r") as f:
data = json.load(f)
dep_keys = ["dependencies", "devDependencies", "peerDependencies",
"bundledDependencies", "optionalDependencies"]
print(f"Checking file {file}")
for dep in dep_keys:
if dep in data.keys():
for depen in data[dep]:
package = urllib.parse.quote_plus(depen)
if requests.get(f"{package}").status_code != 200:
print(f"{file} - {dep} - {depen}")
for path in Path('./').rglob('package.json'):
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment