Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Can NPM show me the age of packages before installing them?

In light of recent malware in existing npm packages, I would like to have a mechanism that lets me do some basic checks before installing new packages or updating existing ones. My main issue are both the packages I install directly, and also the ones I install indirectly.

In general I want to get a list of package-version that npm would install before installing it. More specifically I want the age of the packages that would be installed, so I can generate a warning if any of them is less than a day old.

If I could do that directly with npm, that would be neat, but I'm afraid I need to do some scripting around it.

specific use case:

If I executed npm install react-native-gesture-handler on 2021-10-22 it would have executed the post-install hook of a malicious version of ua-parser and my computer would have been compromised, which is something I would like to avoid.

When I enter npm install react-native-gesture-handler --dry-run, it only tells me which version of react-native-gesture-handler it would have installed, but it would not tell me that it would install a version of ua-parser that was released on that day.

additional notes:

  • I know that npm i --dry-run exists, but it shows only the direct packages.
  • I know that npm list exists, but it only shows packages after installing (and thus after install-hooks have already done their harm)
  • both only show packages version and not their age
  • I do not know how I would get a list of packages that would come with a install-hook before installing them
  • pointers to alternative ways to deal with malicious npm packages are welcome.
  • so far my best solution would be to do "--ignore-scripts" but that would come with it's own set of problems
like image 732
wotanii Avatar asked Nov 15 '21 14:11

wotanii


1 Answers

To find out the malicious package, you will need a script that will check your package for vulnerabilities against national vulnerabilities database

The National Vulnerability Database includes databases of security checklist references, security related software flaws, misconfigurations, product names, and impact metrics.

Mostly all software companies use application security tools like Veracode, Snyk or Checkmarx that does this usually in a stage before deployment in the CICD pipeline.

If you're looking to achieve this locally, you can try

npm audit

But this will audit the installed dependencies and also its sub-dependencies in your project against the default registry (nexus or artifactory or npm registry) and gets you the list of known vulnerabilities with the version details in which patch is available.

npm view will get you the below details about the package even when it is not installed.

enter image description here

version checks before installing would need a script to do the necessary at preinstall, I would suggest to have a dedicated project for security checks (reusable for all projects), and link or publish it then configure that in your project scripts like below,

Security Project:

This will have the script to check for vulnerabilities, leverage npm view or npm version and audit the module then return the results.

Main project:

In here setup the scripts in package.json to use the above published project and check for vulnerabilities before installation.

npx security-project vulnerabilities


scripts: {
  vulnerability: npx security-project vulnerabilities
  preinstall: npx security-project vulnerabilities

  or

  preinstall: "sh ./checkVulnerabilities.sh" // this script can take package name through command line flags like --package axios
}

Snyk takes your package.json and will scan all the modules for security vulnerabilities. You could also search for specific module and check for a version's health score.

https://snyk.io/advisor/check/npm

Alternatively, you could use Snyk extension in your IDE for the same.

We have RetireJS chrome extension for scanning vulnerable JS module version with vulnerabilities in the application.

Good Ref:- 6-tools-you-can-use-to-check-for-vulnerabilities-in-node-js

Above are the ideas that I could think of, hope it helps.

like image 101
deechris27 Avatar answered Oct 19 '22 03:10

deechris27