DEV Community

Thomas.G for NodeSecure

Posted on • Edited on

Announcing new NodeSecure back-end

Hello πŸ‘‹

In the last article of the series I announced the future of NodeSecure. Well, we have just finished rebuilding our back-end 😲 (or at least a first version of it).

So what are the particularities of this new back-end? This is what we will discover in this article πŸ‘€.

But first let me make an introduction for the newcomers.

What is NodeSecure ❓

NodeSecure is an open source organization that aims to create free JavaScript security tools. Our biggest area of expertise is in npm package and code analysis.

Our most notable projects are:

The main project is a CLI that will fetch and deeply analyze the dependency tree of a given npm package (Or a local project with a package.json) and output a .json file that will contain all metadata and flags about each package.

The CLI is able to open the JSON and draw a Network of all dependencies (UI and emojis flags will help you to identify potential issues and security threats).

image

More information on our Governance page.

New back-end πŸš€

Moving everything to the NodeSecure github org 🏠

All packages have been moved to the github organization. You will notice that we have a nice new logo ✨ (created by Tony).

image

This should make it simple to implement a new set of tools and collaborate more effectively. The integration of new maintainers should also be greatly simplified.

Moving to Node.js 16 and ESM

One of the major choices was to use ESM instead of CJS. Many maintainers like Sindresorhus made the choice to switch to ESM which prevented us from updating some of our packages 😭.

There are still a lot of things that are not stable, but we are convinced that it is the right choice for the future of our tools πŸ’ͺ.

Knowing that we still have time before completely finalizing the version 1 we also made the choice to have a limited support to the next LTS of Node.js.

New segmentation and packages πŸ“¦

We have segmented the back-end into a multitude of packages. That makes them reusable in other tools.

image

It will also greatly improve the quality of documentation and testing πŸ’Ž.

name description
scanner ⚑️ A package API to run a static analysis of your module's dependencies.
vuln NPM Audit, Snyk and Node.js Security WG vulnerability strategies built for NodeSecure.
flags NodeSecure security flags 🚩 (configuration and documentation)
i18n NodeSecure Internationalization
npm-registry-sdk Node.js SDK to fetch data from the npm API.

And there is still a lot more to discover (fs-walk, sec-literal , npm-tarball-license-parser etc).

Scanner API πŸ”¬

Even though we now have a dedicated package the API has not changed.

import * as scanner from "@nodesecure/scanner";
import fs from "fs/promises";

// CONSTANTS
const kPackagesToAnalyze = ["mocha", "cacache", "is-wsl"];

const payloads = await Promise.all(
  kPackagesToAnalyze.map((name) => scanner.from(name))
);

const promises = [];
for (let i = 0; i < kPackagesToAnalyze.length; i++) {
  const data = JSON.stringify(payloads[i], null, 2);

  promises.push(fs.writeFile(`${kPackagesToAnalyze[i]}.json`, data));
}
await Promise.allSettled(promises);
Enter fullscreen mode Exit fullscreen mode

The PDF & HTML report project has been updated to use this new back-end.

Team and contributors πŸ‘―

We are integrating Vincent Dhennin as a new maintainer. His help and contributions have been important and I can only thank him for this investment.

We are now three (including Tony Gorez and me).

I would like to thank the other contributors who participated a lot:

What's next ?

To be clear, the objective is to prepare a version 0.9.0 of NodeSecure implementing the new back-end (already in progress).

This will allow us to continually improve and update the back-end features. It will also now be easier to work on the evolution of the CLI.

We still don't have a roadmap or vision for the new interface. We will start working on it by October or November I think.


πŸ™ Thanks for reading and see you soon for an article on the next version of the CLI 😍.

Top comments (2)

Collapse
 
angetekeu profile image
Ange Tekeu

Almost 02 years now. Great team!

Collapse
 
tonygo profile image
tonygo

Amazing project, amazing journey ^^