@nodesecure/mama
Advanced tools
Manifest Manager
This package is available in the Node Package Repository and can be easily installed with npm or yarn.
$ npm i @nodesecure/mama
# or
$ yarn add @nodesecure/mama
import { ManifestManager } from "@nodesecure/mama";
const mama = await ManifestManager.fromPackageJSON(
process.cwd()
);
console.log(mama.document);
console.log(mama.integrity);
Load a new instance using a package.json from the filesystem.
The location parameter can either be a full path or the path to the directory where the package.json is located.
type ManifestManagerDocument =
PackageJSON |
WorkspacesPackageJSON |
PackumentVersion;
Default values are injected if they are not present in the document. This behavior is necessary for the correct operation of certain functions, such as integrity recovery.
{
dependencies: {},
devDependencies: {},
scripts: {},
gypfile: false
}
[!NOTE] document is deep cloned (there will no longer be any reference to the object supplied as an argument)
Deeply extract entry files from package main and Node.js exports fields.
Return the type of the module
type PackageModuleType = "dts" | "faux" | "dual" | "esm" | "cjs";
Return the NPM specification (which is the combinaison of name@version).
[!CAUTION] This property may not be available for Workspaces (if 'name' or 'version' properties are missing, it will throw an error).
Return an integrity hash (which is a string) of the following properties:
{
name,
version,
dependencies,
license: license ?? "NONE",
scripts
}
If dependencies and scripts are missing, they are defaulted to an empty object {}
[!CAUTION] This is not available for Workspaces
Return the author parsed as a Contact (or null if the property is missing).
interface Contact {
email?: string;
url?: string;
name: string;
}
Return the (dev) dependencies as an Array (of string)
{
"dependencies": {
"kleur": "1.0.0"
}
}
The above JSON will produce ["kleur"]
Return true if workspaces property is present
[!NOTE] Workspace are described by the interface
WorkspacesPackageJSON(from @nodesecure/npm-types)
Return true if version is starting with 0.x
Since we've created this package for security purposes, the instance contains various flags indicating threats detected in the content:
node-gyp.install, preinstall, postinstall...import assert from "node:assert";
const mama = new ManifestManager({
name: "hello",
version: "1.0.0",
scripts: {
postinstall: "node malicious.js"
}
});
assert.ok(mama.flags.hasUnsafeScripts);
The flags property is sealed (It is not possible to extend the list of flags)
[!IMPORTANT] Read more about unsafe scripts here
FAQs
Manifest Manager
The npm package @nodesecure/mama receives a total of 276 weekly downloads. As such, @nodesecure/mama popularity was classified as not popular.
We found that @nodesecure/mama demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 4 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
/Security News
Chrome extension CL Suite by @CLMasters neutralizes 2FA for Facebook and Meta Business accounts while exfiltrating Business Manager contact and analytics data.
Security News
After Matplotlib rejected an AI-written PR, the agent fired back with a blog post, igniting debate over AI contributions and maintainer burden.
Security News
HashiCorp disclosed a high-severity RCE in next-mdx-remote affecting versions 4.3.0 to 5.x when compiling untrusted MDX on the server.