Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
nlf is a utility for attempting to identify the licenses of modules in a node.js project.
It looks for license information in package.json, readme and license files in the project. Please note, in many cases the utility is looking for standard strings in these files, such as MIT, BSD, Apache, GPL etc - this is not error free, so if you have any concerns at all about the accuracy of the results, you will need to perform a detailed manual review of the project and its dependencies, reading all terms of any included or referenced license.
nlf can be used programmatically, or from the command line.
-c
, --csv
(Default:false) - output in csv format-d
, --no-dev
(Default:false) - exclude development dependencies-r
, --reach
(Default: Infinity) - package depth (reach), 0 is current package.json file only-s
, --summary off|simple|detail
(Default: simple) - summary information, not available in csv formatTo install:
$ npm install -g nlf
To use:
$ cd my-module
$ nlf
Example output:
archy@0.0.2 [license(s): MIT/X11] └── package.json: MIT/X11 commander@0.6.1 [license(s): MIT] └── readme files: MIT glob@3.2.3 [license(s): BSD] ├── package.json: BSD └── license files: BSD json-stringify-safe@5.0.0 [license(s): BSD] ├── package.json: BSD └── license files: BSD read-installed@0.2.2 [license(s): BSD] └── license files: BSD should@1.2.2 [license(s): MIT] └── readme files: MIT LICENSES: BSD, MIT, MIT/X11
For output in CSV format use the -c (or --csv) switch:
$ cd my-module
$ nlf -c
To exclude development dependencies and only analyze dependencies for production:
$ cd my-module
$ nlf -d
--summary <mode>
option, which can be set to "off", "simple" or "detail". This option controls what will be printed in summary in standard format.
off
turns off summary outputsimple
shows a list of licenses used in the project, the default behaviordetail
shows all modules in current project and group by licenses. As example below:LICENSES:
├─┬ BSD
│ ├── amdefine@1.0.0
│ ├── boom@0.4.2
│ ├── cryptiles@0.2.2
│ └── diff@1.4.0
├─┬ BSD-2-Clause
│ └── normalize-package-data@2.3.5
├─┬ Apache-2.0
│ ├── request@2.40.0
│ ├── spdx-correct@1.0.2
│ └── validate-npm-package-license@3.0.1
├─┬ (MIT AND CC-BY-3.0)
│ └── spdx-expression-parse@1.0.1
└─┬ MPL
└── tough-cookie@2.2.1
var nlf = require('nlf');
nlf.find({ directory: '/User/me/my-project' }, function (err, data) {
// do something with the response object.
console.log(JSON.stringify(data));
});
// to only include production dependencies
nlf.find({
directory: '/User/me/my-project',
production: true
}, function (err, data) {
// do something with the response object.
console.log(JSON.stringify(data));
});
The data returned from find() is an array of modules, each of which is represented by an object as the following example:
{
"id": "example@0.2.9",
"name": "example",
"version": "0.2.9",
"repository": "http:\/\/github.com\/iandotkelly\/example",
"directory": "\/Users\/ian\/example",
"licenseSources": {
"package": {
"sources": [
{
"license": "MIT",
"url": "http://opensource.org/MIT"
}
]
},
"license": {
"sources": [
{
"filePath": "\/Users\/ian\/Personal\/example\/LICENSE",
"text": "the text of the license file",
"names": function() { // function that returns the name of the license if known }
}
]
},
"readme": {
"sources": [
{
"filePath": "\/Users\/ian\/Personal\/example\/readme.md",
"text": "text of the readme"
"names": function() { // function that returns the name of the license if known }
}
]
}
}
}
Each
To run the unit tests, install development dependencies and run tests with 'gulp'. Requires gulp.js to be installed globally.
# only need to install gulp if you have not done so already
$ npm install -g gulp
$ cd nlf
$ npm install
$ gulp
If you contribute to the project, tests are written in mocha, using should.js or the node.js assert module.
FAQs
Find licenses for a node application and its node_module dependencies
We found that nlf demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.