It's been a while since I've had the opportunity to write an article here (Slightly less free time for open-source at the moment).
Today I released the version 0.8.0 of Node-secure (not a pre-release this time).
Let's dive directly into what's new since the last article;
A lot of improvement has been made on the static analysis. The number of "encoded-literals" warnings has been reduced by 50%!
The analysis is also capable to detect Morse code 😆 (not a joke).
It is now possible to run the verify command on a local project. You just have to omit the package name (as for the auto command).
$ nsecure verify
The search bar now allows you to filter packages by their size. Example with express:
Under the hood it use a package i created: size-satisfies
This new version add an "inspect" column to the warnings popup. If you make a click it will load and display the code in a little block.
Thanks to tony for his work on the feature. It took us several weeks to get a result we were happy with.
The UI build with esbuild instead of webpack. Now the build is done in about 200ms and we have removed all dependencies related to webpack.
We added the flag hasNativeCode 🐲 if the package contains anything related to a native addon:
- .c, .cpp, .gyp file extensions
- a dependency known to be useful for native addon (node-gyp, node-addon-api, prebuildify... things like this).
- "gypfile" property is true in the package.json
A new "beta" command we added to show a summary for a given Nsecure JSON payload (as we do in the interface).
Thanks again to tony who worked on the feature. ⚠️ There are still missing elements that will certainly be added in the next version.
The github issue is available here.
- Global warnings are now also displayed at CLI runtime so that they don't go unnoticed.
- Global warnings are also part of the i18n.
- Use Github actions instead of Travis.
- Add the version of Node-secure in the JSON payload.
- Enhance flags description (HTML).
Release available here.
- Adding support for Snyk and Npm audit to detect and fetch CVE.
- Taking into account the compatibility of the version when loading the json - PR open by Tony.
- Rework part of the UI with web component (i'm already working on a POC).
- Use D3.js instead of Vis.js (no POC on how we will do this yet).
- Working a lot to enhance JS-X-Ray and the static analysis.
If you think you have ideas don't hesitate to come talk and contribute.
A version that took a long time to be published but in the end I am still satisfied with the progress made.
Thanks for reading!