Because it allows to convey a message while remaining compatible and simple to setup in a Web page.
👀 click on the arrow to show the complete description
Each summaries title are the name of the flag in the JSON.
⚔️ hasBannedFile
The project has at least one sensitive file (or a file with sensitive information in it).
The list of sensitive files are:
- .npmrc
- .env
- files with extension like .key or .pem
💎 hasCustomResolver
The package has custom dependencies resolver such as +git or +ssh or a local file with file:. In this kind of case it is better to check the package.json.
Note that pacote doesn't support ssh so there is no support in nsecure for this kind of resolver.
Documentation: npm-install
🌍 hasExternalCapacity
The package use a Node.js core package that allow to access the network. These core package are:
- http
- https
- net
- http2
- dgram
🌲 hasIndirectDependencies
The package has indirect (or also called transitive) dependencies. This means that the child dependencies of the package also have dependencies.
In the following example accepts is flagged 🌲 because mime-types has a mime-db dependency which mean that the package is an indirect dependency of accepts.
Indirect dependencies are dangerous for many reasons and you may found useful informations in these articles / study:
👥 hasManyPublishers
The package has been published on npm by multiple unique users. There is no big deal here, just mean the package is maintained by a group of people.
🔬 hasMinifiedCode
Has one or many files that has been detected as minified JavaScript code. We use a package that will tell us if the code is minified (in case the file as a .min then we will consider the file minified by default).
Minified JavaScript code are commonly used by hacker to obfuscate the code to avoid being spotted. A good practice is surely to check all the packages with the flag.
Example of minified code:
👀 hasMissingOrUnusedDependency
The package has a missing dependency (in package.json) or a dependency that is not used in the code (this may happen if the AST Analysis fail!)
📚 hasMultipleLicenses
We have detected different licenses in package.json and other licenses files (LICENSE, LICENSE.MD etc). This probably means that there is an inconsistency in the choice of the license (or a file not updated yet with the right license).
This flag has not been created to detect multiple licenses / conformance rules.
Example: ISC OR GPL-2.0-with-GCC-exception.
Under the hood we use @nodesecure/licenses-conformance to assert licenses conformance!
🐲 hasNativeCode
The package use native components (package, file, configuration) like binding.gyp or npm package for native addon like node-addon-api.
The flag is set to true if:
- One of the package file has an extension like .c, .cpp, .gyp (etc..)
- One of the package dependency is known for building native addons.
- The package.json file has the property "gypfile" set to true.
📜 hasNoLicense
This flag mean that we have not detected any licenses in the npm Tarball (or something went wrong in the detection). For detecting licenses we are reading the package.json and searching for local files that contain the word license.
The code and logic behind the detection is handled in the npm-tarball-license-parser package.
For more information on how license must be described in the package.json, please check the npm documentation.
📦 hasScript
The package has pre and/or post script in the package.json file. These script will be executed before or after the installation of a dependency (this is useful for example to build native addons or similar things). However these script may be used to execute malicious code on your system.
🚨 Vulnerabilities
Vulnerabilities has been detected for the given package version. We are fetching vulnerabilities from multiple sources using NodeSecure vulnera.
Available source are
- GitHub Audit (previously NPM Audit)
- Sonatype DB
- Snyk
- Node.js Security-WG DB (DEPRECATED)
We currently working to implement NVD and OSV.
⚠ hasWarnings
This means that the SAST Scanner has detected several problems by analyzing the Abstract Syntax Tree (AST) of a JavaScript source code. All warnings are accurately documented here.
💀 isDead
The dependency (package) has not received update from at least one year and has at least one dependency that need to be updated.
It probably means it's dangerous to use (or continue to) because the author doesn't seem to update the package anymore (even worst if you want him to implement a new version / security patch).
⛔️ isDeprecated
The given npm package has been deprecated by his author (it must be updated or replaced with an equivalent if there is no new version available).
For more information on deprecation please check the official npm documentation.
🎭 isDuplicate
Indicate that the package is also used somewhere else in the dependency tree but with a different version (like in the screenshot with yallist).
☁️ isGit
The project has been detected as a GIT repository. Sometimes a dependency on the package.json link to a GIT repository, example:
`{ "dependencies": { "zen-observable": "^0.8.15", "nanoid": "github:ai/nanoid", "js-x-ray": "git://github.com/NodeSecure/js-x-ray.git", "nanodelay": "git+ssh://[email protected]:ai/nanodelay.git", "nanoevents": "git+https://github.com/ai/nanoevents.git" } }`
Because under the hood we use pacote to fetch and extract packages we are supporting this given pattern.
⌚️ isOutdated
The current package version is not equal to the latest version of the package (Compared to the versions we retrieve from the npm registry).
This can happen, for example, when the package uses tags such as:
- @alpha
- @beta
- @next