npm-malice-audit

npm-malice-audit

Audits npm packages for any known-malicious package names.

Installation

npm install npm-malice-audit -g

Usage

This is a CLI tool, so it is invoked from the command line.

You must provide a manifest of packages. A manifest is an array of npm package names and can be provided in two ways:

npm-malice-audit.json

Use this if you want to check multiple packages without installing them.

First, the tool will look for an npm-malice-audit.json file with contents like this:

[
  "foo",
  "bar"
]

package.json

Use this if you want to check the dependencies of a project you have installed/cloned locally.

Second, the tool will look for a package.json file and use all of its dependencies, devDependencies, peerDependencies, and optionalDependencies as the package manifest.

Report

If a non-empty manifest is found, a report similar to the following will be produced:

$ npm-malice-audit
---------
| async |
---------
Audited 673 packages.
Completed in 79.481 seconds.
Found 0 malicious packages in the tree!
----------
| lodash |
----------
Audited 1 packages.
Completed in 0.202 seconds.
Found 0 malicious packages in the tree!
-----------------
| npm-remote-ls |
-----------------
Audited 405 packages.
Completed in 42.203 seconds.
Found 0 malicious packages in the tree!
= SUMMARY ==============================
Audited 1079 total packages.
Completed audit in 121.899 seconds.
Found a total of 0 malicious packages!

You may also see an = ERRORS = section above the = SUMMARY =. This includes messages logged when there are problems looking up packages.

Note: Large packages with many dependencies can take a long time to resolve due to the need for many requests - patience is a virtue!