Ask HN: How do you (security) audit external software using NPM packages?

This page summarizes the projects mentioned and recommended in the original post on

Our great sponsors
  • Appwrite - The Open Source Firebase alternative introduces iOS support
  • InfluxDB - Access the most powerful time series database as a service
  • Sonar - Write Clean JavaScript Code. Always.
  • is-buffer

    Determine if an object is a Buffer

    Yes, in this case I would put something like this on top of the file:

        # Fork by TekMol of

  • trivy

    Find vulnerabilities, misconfigurations, secrets, SBOM in containers, Kubernetes, code repositories, clouds and more

    We've been using trivy [1] to audit the container builds we've been producing for a relatively security focussed project. As well as scanning for OS package level vulnerabilities it also scans for reported vulnerabilities in NPM packages. Works well for us.

    But the other complementary approach is to lock down other things - so for example, if you're running in a container, make sure that container can only talk to the proxy in front of it. That way, even if there was some kind of malicious code running in one of the modules, there's no way for any data to get in or out (unless it finds a way of injecting into any web input/output, but then you need to be scanning for that too)


  • Appwrite

    Appwrite - The Open Source Firebase alternative introduces iOS support . Appwrite is an open source backend server that helps you build native iOS applications much faster with realtime APIs for authentication, databases, files storage, cloud functions and much more!

  • isBuffer

    I am actually never sure how to properly do this. Would the next forker write the following then?

        # Fork by Joe of

  • ncc

    Compile a Node.js project into a single file. Supports TypeScript, binary addons, dynamic requires.

    This may be slightly tangential but I recently discovered ncc[1] from vercel which can take a single node project and compile it and all dependencies to a single file.

    As an added benefit it also collapses all contained dependencies license files into a single licenses.txt file too!

    - [1]

  • byrnesjs

    A JS library to push less trusted code outside Jack's Circle of Trust

    So I wrote which allow-lists privileged functions to only trusted code. If untrusted code is in the stack then those function calls will be blocked.

  • InfluxDB

    Access the most powerful time series database as a service. Ingest, store, & analyze all types of time series data in a fully-managed, purpose-built database. Keep data forever with low-cost storage and superior data compression.

NOTE: The number of mentions on this list indicates mentions on common posts plus user suggested alternatives. Hence, a higher number means a more popular project.

Suggest a related project

Related posts