Skip to content

Latest commit

 

History

History
128 lines (90 loc) · 5.25 KB

README.md

File metadata and controls

128 lines (90 loc) · 5.25 KB

NPM Security Fetcher (WIP)

a Node.js CLI created to simplify the analysis of npm registry packages.

npm version license ossf scorecard

About

I personally created this project to analyze npm packages by various criteria (popularity etc). Most researchers re-create the same codes over and over again and I thought it might be nice to have a CLI and various methods to simplify our lives.

Features

  • Pull packages from the npm registry by divers criteria.
  • Offers you various methods to read and extract information from the npm tarball.
  • Functionalities can be extended

Requirements

Getting Started

This package is available in the Node Package Repository and can be easily installed with npm or yarn.

$ npm i npm-security-fetcher -g

or

$ git clone https://github.com/fraxken/npm-security-fetcher.git
$ cd npm-security-fetcher
$ npm ci
$ npm link

Then the nsf binary will be available in your terminal.

$ nsf --help

Usage example

The first step is to create a javascript file with three methods:

  • init (run before fetching and extracting packages from the npm registry).
  • run (called for each downloaded npm packages).
  • close (run at the end when there is no more packages to fetch).

This script must use the latest Node.js ESM (it also support top-level-await).

import path from "path";

export async function init() {
  const baseDir = path.join(process.cwd(), "results");

  return { baseDir }; // <-- init and return context object!
}

export async function close(ctx) {
  console.log("close triggered");
}

export async function run(ctx, { name, location, root }) {
  console.log(ctx.baseDir);
  console.log(`handle package name: ${name}, location: ${location}`);
}

There is no restriction on the nature of the context.

After editing your file you can run your script as follows

$ nsf npm myfile.js

The root folder "example" contains real world examples that are used (for js-x-ray etc).

Contributors ✨

All Contributors

Thanks goes to these wonderful people (emoji key):

Gentilhomme
Gentilhomme

💻 📖 👀 🛡️ 🐛
Nicolas Hallaert
Nicolas Hallaert

📖
WildCöde
WildCöde

💻
Kouadio Fabrice Nguessan
Kouadio Fabrice Nguessan

🚧

License

MIT