Research
Security News
Threat Actor Exposes Playbook for Exploiting npm to Build Blockchain-Powered Botnets
A threat actor's playbook for exploiting the npm ecosystem was exposed on the dark web, detailing how to build a blockchain-powered botnet.
libnpmaccess
Advanced tools
The libnpmaccess package is a Node.js library that provides programmatic access to the npm access control features. It allows you to manage package access permissions, such as granting or revoking access to npm packages for different users or teams.
Grant Access
This feature allows you to grant access to a specific npm package for a user or team. In the code sample, 'read-write' access is granted to 'my-package' for the user 'username'.
const access = require('libnpmaccess');
async function grantAccess() {
await access.grant('read-write', 'my-package', 'user:username');
console.log('Access granted');
}
grantAccess();
Revoke Access
This feature allows you to revoke access to a specific npm package for a user or team. In the code sample, access to 'my-package' is revoked for the user 'username'.
const access = require('libnpmaccess');
async function revokeAccess() {
await access.revoke('my-package', 'user:username');
console.log('Access revoked');
}
revokeAccess();
List Access
This feature allows you to list the access permissions for a specific npm package. In the code sample, the access permissions for 'my-package' are listed.
const access = require('libnpmaccess');
async function listAccess() {
const accessList = await access.lsPackages('my-package');
console.log(accessList);
}
listAccess();
The npm package itself provides CLI commands for managing access control, such as `npm access grant` and `npm access revoke`. While libnpmaccess offers programmatic access, the npm package is more suited for command-line operations.
The np package is a streamlined tool for publishing npm packages. It includes some access control features but is primarily focused on simplifying the publishing process. It does not offer the same level of granularity in access control as libnpmaccess.
The npm-cli-login package is used for programmatically logging into npm. While it does not manage access control, it is often used in conjunction with other tools that do. It complements libnpmaccess by handling authentication.
libnpmaccess
is a Node.js
library that provides programmatic access to the guts of the npm CLI's npm access
command. This includes managing account mfa settings, listing
packages and permissions, looking at package collaborators, and defining
package permissions for users, orgs, and teams.
const access = require('libnpmaccess')
const opts = { '//registry.npmjs.org/:_authToken: 'npm_token }
// List all packages @zkat has access to on the npm registry.
console.log(Object.keys(await access.getPackages('zkat', opts)))
opts
for all libnpmaccess
commandslibnpmaccess
uses npm-registry-fetch
.
All options are passed through directly to that library, so please refer
to its own opts
documentation
for options that can be passed in.
spec
parameter for all libnpmaccess
commandsspec
must be an npm-package-arg
-compatible
registry spec.
access.getCollaborators(spec, opts) -> Promise<Object>
Gets collaborators for a given package
access.getPackages(user|scope|team, opts) -> Promise<Object>
Gets all packages for a given user, scope, or team.
Teams should be in the format scope:team
or @scope:team
Users and scopes can be in the format @scope
or scope
access.getVisibility(spec, opts) -> Promise<Object>
Gets the visibility of a given package
access.removePermissions(team, spec, opts) -> Promise<Boolean>
Removes the access for a given team to a package.
Teams should be in the format scope:team
or @scope:team
access.setAccess(package, access, opts) -> Promise<Boolean>
Sets access level for package described by spec
.
The npm registry accepts the following access
levels:
public
: package is public
private
: package is private
The npm registry also only allows scoped packages to have their access level set.
Sets the publishing mfa requirements for a given package. Level must be one of the following
none
: mfa is not required to publish this package.
publish
: mfa is required to publish this package, automation tokens
cannot be used to publish.
automation
: mfa is required to publish this package, automation tokens
may also be used for publishing from continuous integration workflows.
Sets permissions levels for a given team to a package.
Teams should be in the format scope:team
or @scope:team
The npm registry accepts the following permissions
:
read-only
: Read only permissions
read-write
: Read and write (aka publish) permissions
FAQs
programmatic library for `npm access` commands
We found that libnpmaccess demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 6 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
A threat actor's playbook for exploiting the npm ecosystem was exposed on the dark web, detailing how to build a blockchain-powered botnet.
Security News
NVD’s backlog surpasses 20,000 CVEs as analysis slows and NIST announces new system updates to address ongoing delays.
Security News
Research
A malicious npm package disguised as a WhatsApp client is exploiting authentication flows with a remote kill switch to exfiltrate data and destroy files.