The APIs are flexible and easy-to-use, supporting authentication, user identity, and complex enterprise features like SSO and SCIM provisioning. Learn more →
Npm-lint Alternatives
Similar projects and alternatives to npm-lint
-
SurveyJS
Open-Source JSON Form Builder to Create Dynamic Forms Right in Your App. With SurveyJS form UI libraries, you can build and style forms in a fully-integrated drag & drop form builder, render them in your JS app, and store form submission data in any backend, inc. PHP, ASP.NET Core, and Node.js.
-
InfluxDB
Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.
npm-lint reviews and mentions
-
JavaScript registry NPM vulnerable to 'manifest confusion' abuse
That postinstall and other scripts have been a problem for a long time - the PoC for example could be installed via npx, which would then run postinstall which executes another script to steal /etc/password data.
This is not a new problem, you just have another vector.
I came up with a free linter package to try solve it - but no one seemed interested, and here we are 7 later talking about where people are now offering paid services to mitigate it.
https://github.com/tanepiper/npm-lint
-
Dissecting Npm Malware: Five Packages And Their Evil Install Scripts
Also ended up writing a similar tool but didn't take it much further.
-
npm package to upload your private ssh keys to a pastebin
I did try come up with a npm linter but never really completed it.
-
Getting rid of NPM scripts
A while back I wrote a opt-in tool called npl-lint[1] that would allow some CI-level enforcement of rules in package.json although I didn't go too far with it - one thing was to check the scripts section and allow whitelisted apps, or whitelisted sources for dependencies.
It came about because I ended up having a spat with one of the NPM engineers at the time because they launched npx with the ability to run arbitrary gists[2] and this was before 2FA (FWIW you can still absolutely do this with npx).
I wrote a proof of concept[3] that showed you could, inside a package.json add a command to install another package from a gist location, and then use that to steal credentials, bash history, etc.
[1] https://github.com/tanepiper/npm-lint
-
A note from our sponsor - WorkOS
workos.com | 24 Apr 2024
Stats
tanepiper/npm-lint is an open source project licensed under MIT License which is an OSI approved license.
The primary programming language of npm-lint is TypeScript.
Popular Comparisons
Sponsored