Secure-Supply-Chain
npm-package-repro
Secure-Supply-Chain | npm-package-repro | |
---|---|---|
2 | 2 | |
27 | 1 | |
- | - | |
1.8 | 5.1 | |
over 2 years ago | over 2 years ago | |
JavaScript | ||
MIT License | - |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
Secure-Supply-Chain
- Microsoft Secure-Supply-Chain – Improving OSS Provenance
-
NPM package ‘ua-parser-JS’ with more than 7M weekly download is compromised
Semi-related: Microsoft is going to be (or has begun) checking for differences between published npm packages and their source control.
I got a PR in my repository a few days ago leading back to a team trying to make it easier for packages to be reproducible from source https://github.com/microsoft/Secure-Supply-Chain
npm-package-repro
-
Mischievous NPM Publications
I went a different route with my "malicious" NPM package. See if you can figure it out [1].
Years ago I played around with the idea of verifying that a npm package is the same code found from the source repo [2]. Because there is often a build step, that requires trying to reproduce the building of any arbitrary package, and flagging when there is any delta between the build output and the code distributed via NPM. In more reasonable package managers, this is true by default given that you provide the source code and the package manager builds it for you ... as opposed to NPM, which just asks for the executable code directly.
[1] https://github.com/connorjclark/totally-fair-rng
[2] https://github.com/connorjclark/npm-package-repro
-
NPM package ‘ua-parser-JS’ with more than 7M weekly download is compromised
I couldn't find the code, so I just started over. Haven't hosted it anywhere yet.
https://github.com/connorjclark/npm-package-repro
What are some alternatives?
goggles.mozilla.org - Update: This project is no longer maintained and has been archived. See https://foundation.mozilla.org/blog/putting-away-our-x-ray-goggles/ for more information.
node-ffi-napi - A foreign function interface (FFI) for Node.js, N-API style
handlebars-helpers - 188 handlebars helpers in ~20 categories. Can be used with Assemble, Ghost, YUI, express.js etc.
esprima - ECMAScript parsing infrastructure for multipurpose analysis
ua-parser-js - UAParser.js - Free & open-source JavaScript library to detect user's Browser, Engine, OS, CPU, and Device type/model. Runs either in browser (client-side) or node.js (server-side).
deno - A modern runtime for JavaScript and TypeScript.
frontend