Top Rating
- Top Contributors
  Discover the Top Open Source contributors by country or by language
- Interviews
  Discover real stories from Open Source developers
Discover

Discover your Favorite Language
Discover the top trending repositories and projects on Github. Explore the latest trends in your preferred languages.

Shell

Nix

Scala

C

OCaml

MATLAB

Perl

Zig

More Languages
Awesome

Awesome repositories
Discover the most awesome repositories and projects of your favorite languages. Inspired by the Awesome-* lists trend in GitHub.

F#

Groovy

C++

C#

MATLAB

JavaScript

Clojure

PHP

More Languages
By Country

Rankings by Country
Discover the community of talented open source contributors in each country.

🇩🇪 Germany

🇸🇰 Slovakia

🇭🇹 Haiti

🇬🇹 Guatemala

🇲🇷 Mauritania

🇹🇳 Tunisia

🇲🇶 Martinique

🇻🇦 Vatican City

All Countries Compare Countries

eirslett/package-trust

Stars
115
Rank 305,916 (Top 7 %)
Language Standard ML
License
MIT License
Created almost 6 years ago
Updated over 1 year ago

eirslett/package-trust

eirslett

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Proof of concept: let's audit npm!

Package Trust

A proof-of-concept for distributed security audits of npm packages.

The setup is based on people publishing their public GPG key, downloading an npm package from the registry, manually auditing it, and then creating a GPG signature stating that they have audited it.

These signatures are collected and stored in a repository. One can then later on verify that all packages that are used in a project (by parsing package-lock.json) are properly security-audited, by people you trust.

This repository is a minimum viable product; one could imagine creating a web application of sorts, with a database, to store the signatures and make a more user-friendly workflow.

How to inspect a package

Find out which package you want to inspect.
Check package metadata: npm view left-pad (you will get a list of versions)
Fetch the package: PACKAGE="left-pad" VERSION="1.3.0" ./fetch-pkg.sh The package will be downloaded and end up in the "packages" directory.
Do the manual inspection.
Create a signature

How to sign an inspected package

Run the sign script: PACKAGE="left-pad" VERSION="1.3.0" SENDER="[email]" ./sign.sh ("sender" should be your e-mail address)
Create a pull request to this repository

Verifying signatures for a package

Run the verify script: 1) Run the sign script: PACKAGE="left-pad" VERSION="1.3.0" ./verify.sh

This will verify all the signatures. (Based on which GPG signatures you trust)

Exporting a key

Export your public GPG key, put it in the "keys" folder and create a pull request.

gpg --armor --export [email] > keys/[email].asc

Then, create a pull request to this repository.

Manual inspection tips

Make sure you look at every file. Check package.json, it should not contain anything malicious in the "scripts" section.

Tips for inspecting a package that contains minified files

Try git-cloning the source code for the package.
Do an audit of the source code.
Run the build/minification step for the source code and generate a .tgz package.
Verify that the checksum of your built artifact is the same as the upstream one.

frontend-maven-plugin

"Maven-node-grunt-gulp-npm-node-plugin to end all maven-node-grunt-gulp-npm-plugins." A Maven plugin that downloads/installs Node and NPM locally, runs NPM install, Grunt, Gulp and/or Karma.

thrift-zookeeper

How to use Thrift with Zookeeper - using Finagle and Java

kubectl-windows

Running kubectl on Windows

chrome-karma-docker

Boilerplate project for running karma with Google Chrome inside a Docker container

mediasoup-client-native-cpp

An attempt at a native C++ client library for MediaSoup

elm-task-port-example

Example/description of an Elm modification: adding support for task ports

sc8

Scala functions from Java 8

elmvm

Elm Version Manager

sbt-slf4j

A bridge between sbt's plugin logger and SLF4j

kafka-please

A pre-built version of Kafka that can be started and stopped from Node.js

db2-test

Just for fun; running IBM's DB2 database in a Docker container.

unreed-app

Source code for Unreed

sector-file-tools

Utilities for working with SCT, ASR and ESE files.

pull-request-illustration

Just an example repo for a pull request.

finagle-mysql-test

A little helper trait for testing Finagle-mysql-services

reactive-cookbook

This is a set of recipes for common reactive patterns, in common reactive libraries, for common languages.

shoeset

A 7z archive library

pandaswarm-hyper