In light of recent malware in existing npm packages, I would like to have a mechanism that lets me do some basic checks before installing new packages or updating existing ones. My main issue are both the packages I install directly, and also the ones I install indirectly.
In general I want to get a list of package-version that npm would install before installing it. More specifically I want the age of the packages that would be installed, so I can generate a warning if any of them is less than a day old.
If I could do that directly with npm, that would be neat, but I'm afraid I need to do some scripting around it.
specific use case:
If I executed npm install react-native-gesture-handler
on 2021-10-22 it would have executed the post-install hook of a malicious version of ua-parser and my computer would have been compromised, which is something I would like to avoid.
When I enter npm install react-native-gesture-handler --dry-run
, it only tells me which version of react-native-gesture-handler it would have installed, but it would not tell me that it would install a version of ua-parser that was released on that day.
additional notes:
npm i --dry-run
exists, but it shows only the direct packages.npm list
exists, but it only shows packages after installing (and thus after install-hooks have already done their harm)To find out the malicious package, you will need a script that will check your package for vulnerabilities against national vulnerabilities database
The National Vulnerability Database includes databases of security checklist references, security related software flaws, misconfigurations, product names, and impact metrics.
Mostly all software companies use application security tools like Veracode, Snyk or Checkmarx that does this usually in a stage before deployment in the CICD pipeline.
If you're looking to achieve this locally, you can try
npm audit
But this will audit the installed dependencies and also its sub-dependencies in your project against the default registry (nexus or artifactory or npm registry) and gets you the list of known vulnerabilities with the version details in which patch is available.
npm view
will get you the below details about the package even when it is not installed.
version checks before installing would need a script to do the necessary at preinstall, I would suggest to have a dedicated project for security checks (reusable for all projects), and
link
orpublish
it then configure that in your project scripts like below,
Security Project:
This will have the script to check for vulnerabilities, leverage npm view
or npm version
and audit the module then return the results.
Main project:
In here setup the scripts in package.json
to use the above published project and check for vulnerabilities before installation.
npx security-project vulnerabilities
scripts: {
vulnerability: npx security-project vulnerabilities
preinstall: npx security-project vulnerabilities
or
preinstall: "sh ./checkVulnerabilities.sh" // this script can take package name through command line flags like --package axios
}
Snyk takes your package.json
and will scan all the modules for security vulnerabilities. You could also search for specific module and check for a version's health score.
https://snyk.io/advisor/check/npm
Alternatively, you could use Snyk extension in your IDE for the same.
We have RetireJS chrome extension for scanning vulnerable JS module version with vulnerabilities in the application.
Good Ref:- 6-tools-you-can-use-to-check-for-vulnerabilities-in-node-js
Above are the ideas that I could think of, hope it helps.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With