Check date of a Node project dependencies to ensure there is no too recent dependency.
The reasoning behind such check is to allow only packages that are old enough to be already used by a broad community of JS Developer. And specifically, to avoid a Supply Chain Attack through an update of a package with a malicious code. It’s expected that a malicious package doesn’t live long before getting noticed by someone. In most cases such attacks make most damage in first few days after publishing. So the Paranoid.js tries to minimize a chance of executing/using a package during this time.
Paranoid.js:
-
Verifies all dependencies of a Node project
-
Including all subsequent dependencies
-
By downloading package manifests from NPM registry
-
And checking the date of publication
-
Exiting with an error if a package is too recent
Paranoid.js uses information from NPM API, so it can be used without running a npm install.
That’s an important moment because a malicious code can run its code during a package installation, which we want to avoid.
|
Note
|
There is no 100% protection from Supply Attack. Paranoid.js gives additional protection against common attacks, but cannot protect from all. The software is provides AS IS without any warranties. |
npm install -g @emeraldpay/paranoid-js
Usage: index [options] <path> Arguments: path path to project directory Options: -V, --version output the version number -c, --config <path> use specified path to config file -a, --allow <allow> comma separated list of allowed packages with version spec (<package>@<spec>) -d, --deny <deny> comma separated list of denied packages with version spec (<package>@<spec>) -e, --exclude <exclude> comma separated list of exclude packages from validating -i, --include <include> comma separated list of include packages from validating -m, --minDays <days> minimum days after publish (default 14) -j, --json display output as JSON -p, --production if it possible, then check specified version from lock file -u, --unsafe return only unsafe packages --debug show debug messages --allowFrom <allow> comma separated list of allowed packages with install date (<package>:<date>) --excludeDev exclude development dependencies for validation (ignored for Yarn projects only) --ignoreConfig ignore config file, even if used specified path --ignoreOptions <options> comma separated list of options to ignore from config file --mode <mode> validation mode (choices: "common", "extend", "strict") -h, --help display help for command
$ node ./app/index.js /path/to/project --unsafe info: Start loading dependency list... info: Retrieving packages metadata... info: Validate dependencies... warn: Package graceful-fs:4.2.10 is not safe (15 day(s) since last publish) warn: Package https-proxy-agent:5.0.1 is not safe (5 day(s) since last publish)
Paranoid.js is provided to You "AS IS" and with all faults and defects without warranty of any kind.
To the maximum extent permitted under applicable law, EmeraldPay, Inc, on its own behalf and on behalf of its affiliates and its and their respective licensors and service providers, expressly disclaims all warranties, whether express, implied, statutory or otherwise, with respect to the Paranoid.js, including all implied warranties of merchantability, fitness for a particular purpose, title and non-infringement, and warranties that may arise out of course of dealing, course of performance, usage or trade practice. Without limitation to the foregoing, EmeraldPay, Inc provides no warranty or undertaking, and makes no representation of any kind that the Paranoid.js will meet your requirements, achieve any intended results, be compatible or work with any other software, applications, systems or services, operate without interruption, meet any performance or reliability standards or be error free or that any errors or defects can or will be corrected.
Copyright 2022 EmeraldPay, Inc
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.