Ask HN: How do you (security) audit external software using NPM packages?

This page summarizes the projects mentioned and recommended in the original post on news.ycombinator.com
Security Buffer security-tools is-buffer Docker

SurveyJS
Our great sponsors
  • SurveyJS - Open-Source JSON Form Builder to Create Dynamic Forms Right in Your App
  • InfluxDB - Power Real-Time Data Analytics at Scale
  • WorkOS - The modern identity platform for B2B SaaS
Our great sponsors

  • is-buffer

    Determine if an object is a Buffer

    • Yes, in this case I would put something like this on top of the file:

        # Fork by TekMol of https://github.com/feross/is-buffer

  • trivy

    Find vulnerabilities, misconfigurations, secrets, SBOM in containers, Kubernetes, code repositories, clouds and more

    • We've been using trivy [1] to audit the container builds we've been producing for a relatively security focussed project. As well as scanning for OS package level vulnerabilities it also scans for reported vulnerabilities in NPM packages. Works well for us.

    But the other complementary approach is to lock down other things - so for example, if you're running in a container, make sure that container can only talk to the proxy in front of it. That way, even if there was some kind of malicious code running in one of the modules, there's no way for any data to get in or out (unless it finds a way of injecting into any web input/output, but then you need to be scanning for that too)

    [1] https://github.com/aquasecurity/trivy

  • SurveyJS

    Open-Source JSON Form Builder to Create Dynamic Forms Right in Your App. With SurveyJS form UI libraries, you can build and style forms in a fully-integrated drag & drop form builder, render them in your JS app, and store form submission data in any backend, inc. PHP, ASP.NET Core, and Node.js.

    SurveyJS logo

  • isBuffer

    • I am actually never sure how to properly do this. Would the next forker write the following then?

        # Fork by Joe of https://github.com/tekmol/isBuffer

  • ncc

    Compile a Node.js project into a single file. Supports TypeScript, binary addons, dynamic requires.

    • This may be slightly tangential but I recently discovered ncc[1] from vercel which can take a single node project and compile it and all dependencies to a single file.

    As an added benefit it also collapses all contained dependencies license files into a single licenses.txt file too!

    - [1] https://github.com/vercel/ncc

  • byrnesjs

    A JS library to push less trusted code outside Jack's Circle of Trust

    • So I wrote https://github.com/ashward/byrnesjs which allow-lists privileged functions to only trusted code. If untrusted code is in the stack then those function calls will be blocked.

  • InfluxDB

    Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.

    InfluxDB logo
NOTE: The number of mentions on this list indicates mentions on common posts plus user suggested alternatives. Hence, a higher number means a more popular project.

Suggest a related project

Related posts