version Maintenance OpenSSF Scorecard mit build
⚡️ Run a static analysis of your module's dependencies.
- Node.js version 22 or higher
Scanner builds on JS-X-Ray (SAST) and Vulnera (CVE detection), and adds additional detections such as:
- Detects:
- Manifest confusion
- Dependency confusion
- Typosquatting of popular package names
- Install scripts (e.g.
install,preinstall,postinstall,preuninstall,postuninstall)
- Highlights packages by name, version(s), or maintainer
- Supports NPM and Yarn lockfiles
This package is available in the Node Package Repository and can be easily installed with npm or yarn.
$ npm i @nodesecure/scanner
# or
$ yarn add @nodesecure/scannerimport * as scanner from "@nodesecure/scanner"; import fs from "node:fs/promises"; // CONSTANTS const kPackagesToAnalyze = ["mocha", "cacache", "is-wsl"]; const payloads = await Promise.all( kPackagesToAnalyze.map((name) => scanner.from(name)) ); const promises = []; for (let i = 0; i < kPackagesToAnalyze.length; i++) { const data = JSON.stringify(payloads[i], null, 2); promises.push(fs.writeFile(`${kPackagesToAnalyze[i]}.json`, data)); } await Promise.allSettled(promises);
See types.ts for a complete TypeScript definition.
function workingDir( location: string, options?: Scanner.WorkingDirOptions, logger?: Scanner.Logger ): Promise<Scanner.Payload>; function from( packageName: string, options?: Scanner.FromOptions, logger?: Scanner.Logger ): Promise<Scanner.Payload>; function verify( packageName?: string ): Promise<tarball.ScannedPackageResult>;
WorkingDirOptions and FromOptions are described with the following TypeScript interfaces:
type WorkingDirOptions = Options & { /** * NPM runtime configuration (such as local .npmrc file) * It is optionally used to fetch registry authentication tokens */ npmRcConfig?: Config; }; type FromOptions = Omit<Options, "includeDevDeps">; interface Options { /** * Specifies the maximum depth to traverse for each root dependency. * A value of 2 would mean only traversing deps and their immediate deps. * * @default Infinity */ maxDepth?: number; /** * Includes development dependencies in the walk. * Note that enabling this option can significantly increase I/O and processing time. * * @default false */ includeDevDeps?: boolean; readonly registry?: string | URL; /** * Enables the use of Arborist for rapidly walking over the dependency tree. * When enabled, it triggers different methods based on the presence of `node_modules`: * - `loadActual()` if `node_modules` is available. * - `loadVirtual()` otherwise. * * When disabled, it will iterate on all dependencies by using pacote */ packageLock?: { /** * Fetches all manifests for additional metadata. * * @default false */ fetchManifest?: boolean; /** * Specifies the location of the manifest file for Arborist. * This is typically the path to the `package.json` file. */ location: string; }; highlight?: { contacts: Contact[]; }; /** * Vulnerability strategy name (npm, snyk, node) * * @default NONE */ readonly vulnerabilityStrategy?: Vuln.Strategy.Kind; /** * Analyze root package. * * @default false for from() API * @default true for cwd() API */ readonly scanRootNode?: boolean; }
Additional APIs are available at:
Click on one of the links to access the documentation of the workspace:
| name | package and link |
|---|---|
| tarball | @nodesecure/tarball |
| tree-walker | @nodesecure/tree-walker |
| flags | @nodesecure/flags |
| mama | @nodesecure/mama |
| contact | @nodesecure/contact |
| conformance | @nodesecure/conformance |
| npm-types | @nodesecure/npm-types |
| i18n | @nodesecure/i18n |
| rc | @nodesecure/rc |
| utils | @nodesecure/utils |
| fs-walk | @nodesecure/fs-walk |
| github | @nodesecure/github |
| gitlab | @nodesecure/gitlab |
Thanks goes to these wonderful people (emoji key):
Gentilhomme
Gentilhomme
💻 📖 👀 🛡️ 🐛 Tony Gorez
Tony Gorez
💻 📖 👀 🐛 Haze
Haze
💻 Maksim Balabash
Maksim Balabash
💻 🐛 Antoine Coulon
Antoine Coulon
💻 🐛 👀 🚧 🛡️ Nicolas Hallaert
Nicolas Hallaert
💻 Yefis
Yefis
💻
Gentilhomme
💻 📖 👀 🛡️ 🐛 Tony Gorez
Tony Gorez
💻 📖 👀 🐛 Haze
Haze
💻 Maksim Balabash
Maksim Balabash
💻 🐛 Antoine Coulon
Antoine Coulon
💻 🐛 👀 🚧 🛡️ Nicolas Hallaert
Nicolas Hallaert
💻 Yefis
Yefis
💻
Franck Hallaert
Franck Hallaert
💻 Ange TEKEU
Ange TEKEU
💻 Vincent Dhennin
Vincent Dhennin
💻 📖 👀 🐛 Kouadio Fabrice Nguessan
Kouadio Fabrice Nguessan
🚧 PierreDemailly
PierreDemailly
💻 👀 🐛⚠️
Kishore
Kishore
💻 📖 Clement Gombauld
Clement Gombauld
💻
Franck Hallaert
💻 Ange TEKEU
Ange TEKEU
💻 Vincent Dhennin
Vincent Dhennin
💻 📖 👀 🐛 Kouadio Fabrice Nguessan
Kouadio Fabrice Nguessan
🚧 PierreDemailly
PierreDemailly
💻 👀 🐛
Kishore
💻 📖 Clement Gombauld
Clement Gombauld
💻
Ajāy
Ajāy
💻 📖 Nicolas Hallaert
Nicolas Hallaert
📖 Maxime
Maxime
⚠️
Ange TEKEU
Ange TEKEU
💻 Alexandre Malaj
Alexandre Malaj
💻 📖 🌍 FredGuiou
FredGuiou
🚧 Christian Lisangola
Christian Lisangola
⚠️
Ajāy
💻 📖 Nicolas Hallaert
Nicolas Hallaert
📖 Maxime
Maxime
Ange TEKEU
💻 Alexandre Malaj
Alexandre Malaj
💻 📖 🌍 FredGuiou
FredGuiou
🚧 Christian Lisangola
Christian Lisangola
MIT