Hacker News new | ask | show | jobs
by indigodaddy 273 days ago
Anyone know of a published tool/script to check for the existence of any of the vulnerable npm packages? I don't see anything like that in the stepsecurity page.
2 comments
retlehs 273 days ago
This won’t protect against everything, but it still seems like a good idea to implement:

https://github.com/danielroe/provenance-action

link
indigodaddy 273 days ago
Yep I did see that, but I'm not planning on pushing anything, just want a tool to scan for any of the offending packages. Could make my own but feel like somebody must have already made something (and probably better than I can)
link
dflock 273 days ago
- [supply-chain-security · GitHub Topics · GitHub](https://github.com/topics/supply-chain-security)

- [GitHub - safedep/vet: Protect against malicious open source packages](https://github.com/safedep/vet)

- [GitHub - AikidoSec/safe-chain](https://github.com/AikidoSec/safe-chain)

- npm audit

link
indigodaddy 273 days ago
vet and safe-chain look good thanks! I'm just dabbling with Node only (no experience really), so haven't used npm audit but will see how that works too. Appreciate the links.
link
sibeliuss 273 days ago
`npm audit` for known issues
link