Hello π
In the last article of the series I announced the future of NodeSecure. Well, we have just finished rebuilding our back-end π² (or at least a first version of it).
So what are the particularities of this new back-end? This is what we will discover in this article π.
But first let me make an introduction for the newcomers.
What is NodeSecure β
NodeSecure is an open source organization that aims to create free JavaScript security tools. Our biggest area of expertise is in npm package and code analysis.
Our most notable projects are:
The main project is a CLI that will fetch and deeply analyze the dependency tree of a given npm package (Or a local project with a package.json) and output a .json file that will contain all metadata and flags about each package.
The CLI is able to open the JSON and draw a Network of all dependencies (UI and emojis flags will help you to identify potential issues and security threats).
More information on our Governance page.
New back-end π
Moving everything to the NodeSecure github org π
All packages have been moved to the github organization. You will notice that we have a nice new logo β¨ (created by Tony).
This should make it simple to implement a new set of tools and collaborate more effectively. The integration of new maintainers should also be greatly simplified.
Moving to Node.js 16 and ESM
One of the major choices was to use ESM instead of CJS. Many maintainers like Sindresorhus made the choice to switch to ESM which prevented us from updating some of our packages π.
There are still a lot of things that are not stable, but we are convinced that it is the right choice for the future of our tools πͺ.
Knowing that we still have time before completely finalizing the version 1 we also made the choice to have a limited support to the next LTS of Node.js.
New segmentation and packages π¦
We have segmented the back-end into a multitude of packages. That makes them reusable in other tools.
It will also greatly improve the quality of documentation and testing π.
name | description |
---|---|
scanner | β‘οΈ A package API to run a static analysis of your module's dependencies. |
vuln | NPM Audit, Snyk and Node.js Security WG vulnerability strategies built for NodeSecure. |
flags | NodeSecure security flags π© (configuration and documentation) |
i18n | NodeSecure Internationalization |
npm-registry-sdk | Node.js SDK to fetch data from the npm API. |
And there is still a lot more to discover (fs-walk, sec-literal , npm-tarball-license-parser etc).
Scanner API π¬
Even though we now have a dedicated package the API has not changed.
import * as scanner from "@nodesecure/scanner";
import fs from "fs/promises";
// CONSTANTS
const kPackagesToAnalyze = ["mocha", "cacache", "is-wsl"];
const payloads = await Promise.all(
kPackagesToAnalyze.map((name) => scanner.from(name))
);
const promises = [];
for (let i = 0; i < kPackagesToAnalyze.length; i++) {
const data = JSON.stringify(payloads[i], null, 2);
promises.push(fs.writeFile(`${kPackagesToAnalyze[i]}.json`, data));
}
await Promise.allSettled(promises);
The PDF & HTML report project has been updated to use this new back-end.
Team and contributors π―
We are integrating Vincent Dhennin as a new maintainer. His help and contributions have been important and I can only thank him for this investment.
We are now three (including Tony Gorez and me).
I would like to thank the other contributors who participated a lot:
What's next ?
To be clear, the objective is to prepare a version 0.9.0 of NodeSecure implementing the new back-end (already in progress).
This will allow us to continually improve and update the back-end features. It will also now be easier to work on the evolution of the CLI.
We still don't have a roadmap or vision for the new interface. We will start working on it by October or November I think.
π Thanks for reading and see you soon for an article on the next version of the CLI π.
Latest comments (2)
Almost 02 years now. Great team!
Amazing project, amazing journey ^^