Hello π,
After more than ten long months of work we are finally there π΅! Version 0.9.0 has been released on npm π.
This is a version that required a lot of effort. Thank you to everyone who contributed and made this possible π.
So what are the features of this new release v0.9.0? This is what we will discover in this article π.
For newcomers you can learn more about NodeSecure here or by reading the series.
V0.9.0 πͺ
This new version uses the new back-end and especially version 3 of the scanner.
ESM instead of CJS
This is a choice we explained in a previous article. This version has been completely rewritten in ESM.
We also made the choice to abandon Jest which causes too many problems π. We now use tape.
Better CLI
All commands are now separated by file and the bin/index.js file has been cleaned of all unnecessary code.
We are also working on adding UT for each command (which should avoid regressions and allow better contributions).
New front-end network management
This release heavily improves the front-end code with the addition of a package dedicated to vis-network management.
NodeSecure
/
vis-network
NodeSecure vis.js network front-end module
Vis-network
NodeSecure Vis.js network front-end module.
Getting Started
This package is available in the Node Package Repository and can be easily installed with npm or yarn.
$ npm i @nodesecure/vis-network
# or
$ yarn add @nodesecure/vis-network
Usage example
// Import Third-party Dependencies
import { NodeSecureDataSet, NodeSecureNetwork } from "@nodesecure/vis-network";
document.addEventListener("DOMContentLoaded", async() => {
const secureDataSet = new NodeSecureDataSet();
await secureDataSet.init();
new NodeSecureNetwork(secureDataSet);
});
API
Scripts
The project scripts are used for those who want to test the code.
-
npm start to start an httpserver from
./dist -
npm run build to build the
./examplewith esbuild.
Note: The start command run the build command before launching the http server.
Contributors β¨
Thanks goes to these wonderful people (emoji key):
β¦
This should also allow us to migrate more easily to D3.js in 2022 π.
Better resolver support
The new version of the scanner has support for github: and git: spec.
The scanner is now able to analyze the following dependencies:
"dependencies": {
"zen-observable": "^0.8.15",
"nanoid": "github:ai/nanoid",
"js-x-ray": "git://github.com/NodeSecure/js-x-ray.git",
"nanodelay": "git+ssh://git@github.com:ai/nanodelay.git",
"nanoevents": "git+https://github.com/ai/nanoevents.git"
}
Better payload structure
The structure of JSON has been improved to be more consistent (especially on the management of versions by dependency).
The latest version of the scanner also corrects many inconsistencies in the management of authors and maintainers.
"author": {
"name": "GENTILHOMME Thomas",
"email": "gentilhomme.thomas@gmail.com"
},
"publishers": [
{
"name": "fraxken",
"email": "gentilhomme.thomas@gmail.com",
"version": "2.2.0",
"at": "2021-11-11T18:18:06.891Z"
}
],
"maintainers": [
{
"name": "kawacrepe",
"email": "vincent.dhennin@viacesi.fr"
},
{
"name": "fraxken",
"email": "gentilhomme.thomas@gmail.com"
},
{
"name": "tonygo",
"email": "gorez.tony@gmail.com"
}
]
Brand new vulnerabilities management
We have already presented it, but now we use our own package that allows to recover vulnerabilities using several strategies (Security WG, NPM Audit etc..).
NodeSecure
/
vulnera
Programmatically fetch security vulnerabilities with one or many strategies (NPM Audit, Sonatype, Snyk, Node.js DB).
The vuln-era has begun! Programmatically fetch security vulnerabilities with one or many strategies. Originally designed to run and analyze Scanner dependencies it now also runs independently from an npm Manifest.
Requirements
- Node.js v16 or higher
Getting Started
This package is available in the Node Package Repository and can be easily installed with npm or yarn.
$ npm i @nodesecure/vulnera
# or
$ yarn add @nodesecure/vulnera
Usage example
import * as vulnera from "@nodesecure/vulnera";
// Default strategy is currently "none".
await vulnera.setStrategy(vulnera.strategies.NPM_AUDIT);
const definition = await vulnera.getStrategy();
console.log(definition.strategy);
const vulnerabilities = await definition.getVulnerabilities(process.cwd(), {
useStandardFormat: true
});
console.log(vulnerabilities);
Available strategy
The default strategy is NONE which meanβ¦
This is just the beginning and I think it will soon be a fully featured project. Among the new features there is a new standard format dedicated for NodeSecure:
export interface StandardVulnerability {
id?: string;
origin: Origin;
package: string;
title: string;
description?: string;
url?: string;
severity?: Severity;
cves: string[];
cvssVector?: string;
cvssScore?: number;
vulnerableRanges: string[];
vulnerableVersions: string[];
patchedVersions?: string;
patches?: Patch[];
}
Trojan source detection with JS-X-Ray 4.2.0
The new backend implements the version 4 of JS-X-Ray. In this latest release we added a warning for Trojan source.
Documentation and tests
A lot of effort has been put into adding documentation and unit testing to all of the projects.
There is still a long way to go to make this even more accessible and you are welcome to help us.
What's next ?
We are now working as a group on different topics. We have many ongoing projects/subjects:
- Specification of a configuration file for our projects.
- Better analysis and identification of authors and maintainers. See NodeSecure/authors.
- Creating new tools to be executed in CI.
- Working on the next Web UI (TypeScript + Catalyst).
Conclusion π
We should be able to produce more frequent releases until the new UI comes.
Thanks again to the core contributors of the project without whom we would not have arrived here today!
See you soon for the release v0.10.0 π.
Top comments (0)