@npm-breach/check 1.0.0 ā 1.0.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +14 -11
- package/lib/index.js +4 -0
- package/lib/utils/versionChecker.js +33 -0
- package/package.json +2 -2
package/README.md
CHANGED
|
@@ -1,10 +1,10 @@
|
|
|
1
1
|
# NPM Breach Check
|
|
2
2
|
|
|
3
|
-
|
|
3
|
+
**Security-focused CLI tool to detect potentially vulnerable packages in your Node.js applications**
|
|
4
4
|
|
|
5
5
|
A lightweight command-line scanner that checks for known vulnerable packages in your dependency tree. Help protect your applications by identifying packages that may pose security risks.
|
|
6
6
|
|
|
7
|
-
##
|
|
7
|
+
## Quick Start
|
|
8
8
|
|
|
9
9
|
```bash
|
|
10
10
|
# Install globally
|
|
@@ -14,12 +14,15 @@ npm install -g @npm-breach/check
|
|
|
14
14
|
npm-breach-check
|
|
15
15
|
```
|
|
16
16
|
|
|
17
|
-
##
|
|
17
|
+
## Usage
|
|
18
18
|
|
|
19
19
|
```bash
|
|
20
20
|
# Scan all packages in your project (default)
|
|
21
21
|
npm-breach-check
|
|
22
22
|
|
|
23
|
+
# Check a specific package and version
|
|
24
|
+
npm-breach-check check-package lodash "^4.17.20"
|
|
25
|
+
|
|
23
26
|
# List all monitored packages
|
|
24
27
|
npm-breach-check list
|
|
25
28
|
|
|
@@ -27,7 +30,7 @@ npm-breach-check list
|
|
|
27
30
|
npm-breach-check help
|
|
28
31
|
```
|
|
29
32
|
|
|
30
|
-
##
|
|
33
|
+
## Example Output
|
|
31
34
|
|
|
32
35
|
```
|
|
33
36
|
Summary:
|
|
@@ -56,11 +59,11 @@ Used but not affected:
|
|
|
56
59
|
ā error-ex@1.3.4 (affected: 1.3.3)
|
|
57
60
|
```
|
|
58
61
|
|
|
59
|
-
-
|
|
60
|
-
-
|
|
61
|
-
-
|
|
62
|
+
- **Affected versions** - Vulnerable packages found (need immediate attention)
|
|
63
|
+
- **Used but not affected** - Packages installed but in safe versions
|
|
64
|
+
- **Not used in project** - Packages not installed (you're safe)
|
|
62
65
|
|
|
63
|
-
##
|
|
66
|
+
## Features
|
|
64
67
|
|
|
65
68
|
- **Zero Configuration** - Works out of the box
|
|
66
69
|
- **Lightweight** - Only one dependency (`semver`)
|
|
@@ -68,7 +71,7 @@ Used but not affected:
|
|
|
68
71
|
- **Semantic Versioning** - Supports version ranges (`^`, `~`, `>=`, etc.)
|
|
69
72
|
- **Dependency Tree Analysis** - Deep scanning with `npm ls`
|
|
70
73
|
|
|
71
|
-
##
|
|
74
|
+
## What It Checks
|
|
72
75
|
|
|
73
76
|
This tool monitors a curated list of packages known to have security considerations, including:
|
|
74
77
|
|
|
@@ -80,7 +83,7 @@ This tool monitors a curated list of packages known to have security considerati
|
|
|
80
83
|
|
|
81
84
|
Run `npm-breach-check list` to see the complete monitored package list.
|
|
82
85
|
|
|
83
|
-
##
|
|
86
|
+
## Contributing
|
|
84
87
|
|
|
85
88
|
We welcome contributions to improve package security monitoring!
|
|
86
89
|
|
|
@@ -108,7 +111,7 @@ npm install
|
|
|
108
111
|
npm link
|
|
109
112
|
```
|
|
110
113
|
|
|
111
|
-
##
|
|
114
|
+
## License
|
|
112
115
|
|
|
113
116
|
MIT Ā© Contributors
|
|
114
117
|
|
package/lib/index.js
CHANGED
|
@@ -5,6 +5,10 @@ const { checkSpecificPackage } = require('./commands/checkPackage');
|
|
|
5
5
|
const { listPackages } = require('./commands/list');
|
|
6
6
|
const { showHelp, showVersion } = require('./commands/help');
|
|
7
7
|
const { colorize } = require('./utils/colors');
|
|
8
|
+
const { checkForUpdates } = require('./utils/versionChecker');
|
|
9
|
+
|
|
10
|
+
// Check for updates before running commands (async, non-blocking)
|
|
11
|
+
checkForUpdates();
|
|
8
12
|
|
|
9
13
|
// Parse command line arguments
|
|
10
14
|
const args = process.argv.slice(2);
|
|
@@ -0,0 +1,33 @@
|
|
|
1
|
+
const { execSync } = require('child_process');
|
|
2
|
+
const semver = require('semver');
|
|
3
|
+
const fs = require('fs');
|
|
4
|
+
const path = require('path');
|
|
5
|
+
const { colorize } = require('./colors');
|
|
6
|
+
|
|
7
|
+
async function checkForUpdates() {
|
|
8
|
+
try {
|
|
9
|
+
// Get current version from package.json
|
|
10
|
+
const packageJsonPath = path.join(__dirname, '..', '..', 'package.json');
|
|
11
|
+
const packageJson = JSON.parse(fs.readFileSync(packageJsonPath, 'utf8'));
|
|
12
|
+
const currentVersion = packageJson.version;
|
|
13
|
+
|
|
14
|
+
// Check latest version from npm registry
|
|
15
|
+
const latestVersionOutput = execSync('npm view @npm-breach/check version', {
|
|
16
|
+
encoding: 'utf8',
|
|
17
|
+
stdio: 'pipe',
|
|
18
|
+
timeout: 3000 // 3 second timeout
|
|
19
|
+
}).trim();
|
|
20
|
+
|
|
21
|
+
if (semver.gt(latestVersionOutput, currentVersion)) {
|
|
22
|
+
console.log(colorize('\nā Update available!', 'yellow'));
|
|
23
|
+
console.log(colorize(` Current version: ${currentVersion}`, 'gray'));
|
|
24
|
+
console.log(colorize(` Latest version: ${latestVersionOutput}`, 'green'));
|
|
25
|
+
console.log(colorize(' Run: npm install -g @npm-breach/check@latest\n', 'cyan'));
|
|
26
|
+
}
|
|
27
|
+
} catch (error) {
|
|
28
|
+
// Silently fail - don't interrupt the main functionality
|
|
29
|
+
// Version check is not critical
|
|
30
|
+
}
|
|
31
|
+
}
|
|
32
|
+
|
|
33
|
+
module.exports = { checkForUpdates };
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@npm-breach/check",
|
|
3
|
-
"version": "1.0.
|
|
3
|
+
"version": "1.0.2",
|
|
4
4
|
"description": "Security-focused CLI tool to detect potentially vulnerable packages in your Node.js applications",
|
|
5
5
|
"main": "lib/index.js",
|
|
6
6
|
"bin": {
|
|
@@ -13,7 +13,7 @@
|
|
|
13
13
|
"keywords": [
|
|
14
14
|
"security",
|
|
15
15
|
"vulnerability",
|
|
16
|
-
"scanner",
|
|
16
|
+
"scanner",
|
|
17
17
|
"cli",
|
|
18
18
|
"npm",
|
|
19
19
|
"package-checker",
|