npm-lint

A linter for npm & node package.json files with a focus on dependency security (by tanepiper)
Add to my DEV experience Linter linting-rules Npm npm-scripts NodeJS Security security-tools dependency-analysis
Source Code
npm-lint Reviews
Suggest alternative
Edit details
The modern identity platform for B2B SaaS
The APIs are flexible and easy-to-use, supporting authentication, user identity, and complex enterprise features like SSO and SCIM provisioning.
workos.com
Sponsored

Npm-lint Alternatives

Similar projects and alternatives to npm-lint

NOTE: The number of mentions on this list indicates mentions on common posts plus user suggested alternatives. Hence, a higher number means a better npm-lint alternative or higher similarity.
Suggest an alternative to npm-lint

npm-lint reviews and mentions

Posts with mentions or reviews of npm-lint. We have used some of these posts to build our list of alternatives and similar projects. The last one was on 2023-06-27.
  • JavaScript registry NPM vulnerable to 'manifest confusion' abuse
    3 projects | news.ycombinator.com | 27 Jun 2023
    That postinstall and other scripts have been a problem for a long time - the PoC for example could be installed via npx, which would then run postinstall which executes another script to steal /etc/password data.

    This is not a new problem, you just have another vector.

    I came up with a free linter package to try solve it - but no one seemed interested, and here we are 7 later talking about where people are now offering paid services to mitigate it.

    https://github.com/tanepiper/npm-lint

  • Dissecting Npm Malware: Five Packages And Their Evil Install Scripts
    4 projects | /r/javascript | 18 Apr 2023
    Also ended up writing a similar tool but didn't take it much further.
  • npm package to upload your private ssh keys to a pastebin
    3 projects | /r/javascript | 18 Mar 2022
    I did try come up with a npm linter but never really completed it.
  • Getting rid of NPM scripts
    4 projects | news.ycombinator.com | 26 Dec 2020
    A while back I wrote a opt-in tool called npl-lint[1] that would allow some CI-level enforcement of rules in package.json although I didn't go too far with it - one thing was to check the scripts section and allow whitelisted apps, or whitelisted sources for dependencies.

    It came about because I ended up having a spat with one of the NPM engineers at the time because they launched npx with the ability to run arbitrary gists[2] and this was before 2FA (FWIW you can still absolutely do this with npx).

    I wrote a proof of concept[3] that showed you could, inside a package.json add a command to install another package from a gist location, and then use that to steal credentials, bash history, etc.

    [1] https://github.com/tanepiper/npm-lint

  • A note from our sponsor - WorkOS
    workos.com | 24 Apr 2024
    The APIs are flexible and easy-to-use, supporting authentication, user identity, and complex enterprise features like SSO and SCIM provisioning. Learn more →

Stats

Basic npm-lint repo stats
4
26
0.0
about 4 years ago

tanepiper/npm-lint is an open source project licensed under MIT License which is an OSI approved license.

The primary programming language of npm-lint is TypeScript.

Popular Comparisons

  1. npm-lint VS ultra-runner
  2. npm-lint VS pnpm
  3. npm-lint VS steal-ur-stuff
  4. npm-lint VS actual-malware

Sponsored
The modern identity platform for B2B SaaS
The APIs are flexible and easy-to-use, supporting authentication, user identity, and complex enterprise features like SSO and SCIM provisioning.
workos.com