Skip to content

Latest commit

 

History

History
198 lines (88 loc) · 8.74 KB

FLAGS.md

File metadata and controls

198 lines (88 loc) · 8.74 KB

Flags

Why emojis for flags ?

Because it allows to convey a message while remaining compatible and simple to setup in a Web page.

Legends

👀 click on the arrow to show the complete description

Each summaries title are the name of the flag in the JSON.

⚔️ hasBannedFile

The project has at least one sensitive file (or a file with sensitive information in it).

The list of sensitive files are:

  • .npmrc
  • .env
  • files with extension like .key or .pem
💎 hasCustomResolver

The package has custom dependencies resolver such as +git or +ssh or a local file with file:. In this kind of case it is better to check the package.json.

Note that pacote doesn't support ssh so there is no support in nsecure for this kind of resolver.

Documentation: npm-install

🌍 hasExternalCapacity

The package use a Node.js core package that allow to access the network. These core package are:

  • http
  • https
  • net
  • http2
  • dgram

⚠️ This flag only work if the AST analysis as successfully retrieved all dependencies as expected.

🌲 hasIndirectDependencies

The package has indirect (or also called transitive) dependencies. This means that the child dependencies of the package also have dependencies.

In the following example accepts is flagged 🌲 because mime-types has a mime-db dependency which mean that the package is an indirect dependency of accepts.

Indirect dependencies are dangerous for many reasons and you may found useful informations in these articles / study:

👥 hasManyPublishers

The package has been published on npm by multiple unique users. There is no big deal here, just mean the package is maintained by a group of people.

🔬 hasMinifiedCode

Has one or many files that has been detected as minified JavaScript code. We use a package that will tell us if the code is minified (in case the file as a .min then we will consider the file minified by default).

Minified JavaScript code are commonly used by hacker to obfuscate the code to avoid being spotted. A good practice is surely to check all the packages with the flag.

Example of minified code:

👀 hasMissingOrUnusedDependency

The package has a missing dependency (in package.json) or a dependency that is not used in the code (this may happen if the AST Analysis fail!)

📚 hasMultipleLicenses

We have detected different licenses in package.json and other licenses files (LICENSE, LICENSE.MD etc). This probably means that there is an inconsistency in the choice of the license (or a file not updated yet with the right license).

This flag has not been created to detect multiple licenses / conformance rules.

Example: ISC OR GPL-2.0-with-GCC-exception.

Under the hood we use @nodesecure/licenses-conformance to assert licenses conformance!

🐲 hasNativeCode

The package use native components (package, file, configuration) like binding.gyp or npm package for native addon like node-addon-api.

The flag is set to true if:

  • One of the package file has an extension like .c, .cpp, .gyp (etc..)
  • One of the package dependency is known for building native addons.
  • The package.json file has the property "gypfile" set to true.
📜 hasNoLicense

This flag mean that we have not detected any licenses in the npm Tarball (or something went wrong in the detection). For detecting licenses we are reading the package.json and searching for local files that contain the word license.

The code and logic behind the detection is handled in the npm-tarball-license-parser package.

For more information on how license must be described in the package.json, please check the npm documentation.

📦 hasScript

The package has pre and/or post script in the package.json file. These script will be executed before or after the installation of a dependency (this is useful for example to build native addons or similar things). However these script may be used to execute malicious code on your system.

🚨 Vulnerabilities

Vulnerabilities has been detected for the given package version. We are fetching vulnerabilities from multiple sources using NodeSecure vulnera.

Available source are

  • GitHub Audit (previously NPM Audit)
  • Sonatype DB
  • Snyk
  • Node.js Security-WG DB (DEPRECATED)

We currently working to implement NVD and OSV.

⚠ hasWarnings

This means that the SAST Scanner has detected several problems by analyzing the Abstract Syntax Tree (AST) of a JavaScript source code. All warnings are accurately documented here.

💀 isDead

The dependency (package) has not received update from at least one year and has at least one dependency that need to be updated.

It probably means it's dangerous to use (or continue to) because the author doesn't seem to update the package anymore (even worst if you want him to implement a new version / security patch).

⛔️ isDeprecated

The given npm package has been deprecated by his author (it must be updated or replaced with an equivalent if there is no new version available).

For more information on deprecation please check the official npm documentation.

🎭 isDuplicate

Indicate that the package is also used somewhere else in the dependency tree but with a different version (like in the screenshot with yallist).

☁️ isGit

The project has been detected as a GIT repository. Sometimes a dependency on the package.json link to a GIT repository, example:

  `{           "dependencies": {             "zen-observable": "^0.8.15",             "nanoid": "github:ai/nanoid",             "js-x-ray": "git://github.com/NodeSecure/js-x-ray.git",             "nanodelay": "git+ssh://[email protected]:ai/nanodelay.git",             "nanoevents": "git+https://github.com/ai/nanoevents.git"           }         }`

Because under the hood we use pacote to fetch and extract packages we are supporting this given pattern.

⌚️ isOutdated

The current package version is not equal to the latest version of the package (Compared to the versions we retrieve from the npm registry).

This can happen, for example, when the package uses tags such as:

  • @alpha
  • @beta
  • @next