NPM(节点包管理器)安全性和投票

时间:2016-02-09 06:09:47

标签: node.js security npm voting

任何人都可以发布他们的 Node.js 包来打开节点包管理器( npm )池。 对已发布的软件包是否有任何安全检查,以便我可以确定新软件包不会包含任何有害代码?

知道节点包是否有任何投票系统以便我可以从一堆类似的节点包中挑选出投票最多的包,这很有意思?

2 个答案:

答案 0 :(得分:1)

The Node Security Platform is a tool designed to help developers do just that! You can test your project dependencies for known vulnerabilities in a variety of ways - from the command line, integrated with your CI system, or integrated with github.

The vulnerabilities are discovered via two sources:

  1. A team of seasoned node.js security professionals actively auditing modules on npm.
  2. Submissions from community members, which are verified by the aforementioned team.

It's also free to use the command line tool, as well as integration with open source github repositories.

If you are using npm enterprise, nsp is also partnered with npm to provide sidebar integration. This allows you to see vulnerability information right from the npme web ui, which sounds like what you are looking for.

As far as module popularity goes, there is a website that does this to some degree at nodejsmodules.org. I use it from time to time, but beware - they've got a very expired HTTPS cert.

Disclosure: I am an employee of ^Lift Security, the company behind the Node Security Platform.

答案 1 :(得分:0)

您还可以使用https://nodesecurity.io/在GitHub拉取请求流中添加安全检查。

如果您在将模块拉入系统之前在npmjs.com上执行搜索,则npmjs.com上所有软件包的索引会考虑维护,质量等。“

npm search也是npm包投票的好选择。

  

npms分析仪不断分析npm生态系统,从各种来源收集尽可能多的信息,包括GitHub,Davidnsp。使用收集的信息,每个包的最终得分是根据四个不同方面计算的:质量,维护,受欢迎程度和个性