Hello π,
Back for a different article than usual. This is the opportunity for me to talk about the NodeSecure project and to tell you about what's new since the beginning of the year π.
The project has grown significantly and we are now several active contributors on the project π. This opens up great opportunities for the organization and our tools as a whole.
Above all, many thanks to all those who participate in this adventure π. If you also follow the project and want to contribute and learn, do not hesitate π.
Release 1.0.0 π
We have moved and renamed the main project. It became necessary to bring the project into the org to allow everyone to discover our other tools.
Now available on the NodeSecure github under the cli name. The old package has been deprecated and the new release can be downloaded with the name @nodesecure/cli.
Changing the name was necessary. It all started with one tool but now NodeSecure is a family of tools, contributors π― etc.
This also marks the beginning of the first major release π.
$ npm install -g @nodesecure/cli
NodeSecure
/
cli
JavaScript security CLI that allow you to deeply analyze the dependency tree of a given package or local Node.js project.
π’ Node-Secure CLI π
a Node.js CLI to deeply analyze the dependency tree of a given NPM package or Node.js local app
π Features
- Run a static scan on every JavaScript files and sort out warnings (unsafe-regex, unsafe-import etc) and the complete list of required expr and statements (files, node.js module, etc.).
- Return complete composition for each packages (extensions, files, tarball size, etc).
- Packages metadata from the npm registry API (number of releases, last publish date, maintainers etc).
- Search for licenses files in the tarball and return the SPDX expression conformance of each detected licenses.
- Link vulnerabilities from the multiple sources like GitHub Advisory, Sonatype or Snyk using Vulnera.
- Add flags (emojis) to each packages versions to identify well known patterns and potential security threats easily.
- First-class support of open source security initiatives like OpenSSF Scorecard.
- Generate security report (PDF).
π§ Requirements
- Node.js v22 or higher
π Getting
β¦And by the way: this new release include support for Workspaces with the cwd command π.
NodeSecure ci π
A remarkable work from Antoine who has been actively working on the project for a good month πͺ. This will bring a whole new dimension to the NodeSecure project and meet to at least some needs long requested by developers.
He wrote an article to present the tool and explain how to set it up π, I recommend you to read it:
There is still work to do, don't hesitate to come and contribute to this beautiful project which promises a lot for the future.
NodeSecure
/
ci
NodeSecure tool enabling secured continuous integration
Secure Continuous Integration
Installation
This package is available in the Node Package Repository and can be easily installed with npm or yarn.
$ npm i @nodesecure/ci
# or
$ yarn add @nodesecure/ci
Getting Started
@nodesecure/ci brings together a set of tools to identify dependencies vulnerabilities and track most common malicious code and patterns.
Before going further, here is an overview of the available features depending on your project configuration:
| Static Analysis | Compatibility |
|---|---|
| JavaScript | β |
| TypeScript | β |
Static Analysis is powered by @nodesecure/js-x-ray and @nodesecure/scanner.
For now, TypeScript can't directly be analyzed on the fly. However as you might know, any transpiled TypeScript code is JavaScript code hence can be analyzed Moreover, it is recommended to launch the Static Analysis with a source code state as close as possible to the state of your production code (and before minification). In fact, you want to make sure that you areβ¦
NodeSecure preview
Working on security accessibility for developers within the JavaScript ecosystem is important to us.
This is why Tony Gorez has taken it upon himself to design the Preview project which will allow to scan online npm packages. We still have some difficulties to put it online but we are working on it.
The goal of the project is to highlight some of the benefits and metrics reported by the NodeSecure tools and why not make more developers sensitive to security subjects.
NodeSecure
/
preview
Scan your node packages in your browser!
Caution
This project is not maintained anymore. We plan to implement a search mode in the NodeSecure CLI
πΈ Preview
Light NodeSecure in browser
Find your package weaknesses!
β‘οΈ Features
This project aims to help newcomers to understand the benefits of NodeSecure
- π©βπ On demand analysis
- ποΈββοΈ Package size & dependency count
- β³οΈ Vulnerability flags
- π Browser caching
- π Powered by NodeSecure/scanner
Contributing
First, install dependencies
$ npm i
Run the development server:
$ npm run dev
Open http://localhost:3000 with your browser to see the result.
Run e2e test:
- First, install playwright.
$ npx playwright install
- Then, run the tests ^^
$ npm run test:e2e
Contributors β¨
Thanks goes to these wonderful people (emoji key):
License
MIT
NodeSecure authors
In light of the recent events with Marak Squares it is I think quite important to have some insight on the maintainers of the packages we use.
We must have better tools to warn developers in case of incident like Faker. But also to highlight these maintainers who also need funding.
This could also allow some developers to realize the dependence they have on certain projects and why not encourage them to contribute to help.
That's why we are working on a new package with Vincent Dhennin to optimize and fetch additional metadata for package authors.
NodeSecure
/
authors
DEPRECATED (replaced by @nodesecure/contact)
NodeSecure authors
Requirements
- Node.js v18 or higher
Getting Started
This package is available in the Node Package Repository and can be easily installed with npm or yarn.
$ npm i @nodesecure/authors
# or
$ yarn add @nodesecure/authors
Usage example
import { extractAllAuthorsFromLibrary } from "@nodesecure/authors";
const flaggedAuthors = [{ name: "Blake Embrey", email: "hello@blakeembrey.com" }];
const authors = extractAllAuthorsFromLibrary(library, flaggedAuthors);
// Expect authors to be following this schema
// [
// {
// name: "Blake Embrey",
// email: "hello@blakeembrey.com",
// flagged: true,
// packages: [
// {
// homepage: "https://github.com/blakeembrey/array-flatten",
// spec: "array-flatten",
// versions: "3.0.0",
// isPublishers: false
// },
// {
// homepage: "https://github.com/pillarjs/path-to-regexp#readme",
// spec: "path-to-regexp",
// versions: "6.2.0",
// isPublishers: true
// }
// }
// ]
API
TBC
Contributors β¨
Thanksβ¦
Our goal is to implement these improvements in future releases of Scanner. I'm excited about this because personally I like to get to know the maintainers of the packages I use.
NodeSecure RC
We are working on adding a runtime configuration for our tools (especially the CI project).
import assert from "node:assert/strict";
import * as RC from "@nodesecure/rc";
const writeOpts: RC.writeOptions = {
payload: { version: "2.0.0" },
partialUpdate: true
};
const result = (
await RC.write(void 0, writeOpts)
).unwrap();
assert.strictEqual(result, void 0);
This should improve the experience for many of our tools where we had a CLI with complex settings and commands or pseudo configuration within the project (like report).
That's it for this article. We continue to work and listen to your various feedbacks to improve our tools.
See you soon for another article π.
Best Regards,
Thomas
Top comments (0)