• Stars
    star
    115
  • Rank 305,916 (Top 7 %)
  • Language Standard ML
  • License
    MIT License
  • Created about 6 years ago
  • Updated over 1 year ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Proof of concept: let's audit npm!

Package Trust

A proof-of-concept for distributed security audits of npm packages.

The setup is based on people publishing their public GPG key, downloading an npm package from the registry, manually auditing it, and then creating a GPG signature stating that they have audited it.

These signatures are collected and stored in a repository. One can then later on verify that all packages that are used in a project (by parsing package-lock.json) are properly security-audited, by people you trust.

This repository is a minimum viable product; one could imagine creating a web application of sorts, with a database, to store the signatures and make a more user-friendly workflow.

How to inspect a package

  1. Find out which package you want to inspect.
  2. Check package metadata: npm view left-pad (you will get a list of versions)
  3. Fetch the package: PACKAGE="left-pad" VERSION="1.3.0" ./fetch-pkg.sh The package will be downloaded and end up in the "packages" directory.
  4. Do the manual inspection.
  5. Create a signature

How to sign an inspected package

  1. Run the sign script: PACKAGE="left-pad" VERSION="1.3.0" SENDER="[email]" ./sign.sh ("sender" should be your e-mail address)
  2. Create a pull request to this repository

Verifying signatures for a package

  1. Run the verify script: 1) Run the sign script: PACKAGE="left-pad" VERSION="1.3.0" ./verify.sh

This will verify all the signatures. (Based on which GPG signatures you trust)

Exporting a key

Export your public GPG key, put it in the "keys" folder and create a pull request.

gpg --armor --export [email] > keys/[email].asc

Then, create a pull request to this repository.

Manual inspection tips

Make sure you look at every file. Check package.json, it should not contain anything malicious in the "scripts" section.

Tips for inspecting a package that contains minified files
  • Try git-cloning the source code for the package.
  • Do an audit of the source code.
  • Run the build/minification step for the source code and generate a .tgz package.
  • Verify that the checksum of your built artifact is the same as the upstream one.

More Repositories

1

frontend-maven-plugin

"Maven-node-grunt-gulp-npm-node-plugin to end all maven-node-grunt-gulp-npm-plugins." A Maven plugin that downloads/installs Node and NPM locally, runs NPM install, Grunt, Gulp and/or Karma.
Java
4,080
star
2

thrift-zookeeper

How to use Thrift with Zookeeper - using Finagle and Java
Java
57
star
3

kubectl-windows

Running kubectl on Windows
27
star
4

chrome-karma-docker

Boilerplate project for running karma with Google Chrome inside a Docker container
Dockerfile
26
star
5

mediasoup-client-native-cpp

An attempt at a native C++ client library for MediaSoup
C++
22
star
6

elm-task-port-example

Example/description of an Elm modification: adding support for task ports
JavaScript
9
star
7

sc8

Scala functions from Java 8
Scala
9
star
8

elmvm

Elm Version Manager
Shell
6
star
9

sbt-slf4j

A bridge between sbt's plugin logger and SLF4j
Scala
5
star
10

kafka-please

A pre-built version of Kafka that can be started and stopped from Node.js
JavaScript
3
star
11

db2-test

Just for fun; running IBM's DB2 database in a Docker container.
2
star
12

unreed-app

Source code for Unreed
TypeScript
2
star
13

sector-file-tools

Utilities for working with SCT, ASR and ESE files.
TypeScript
2
star
14

pull-request-illustration

Just an example repo for a pull request.
Scala
1
star
15

finagle-mysql-test

A little helper trait for testing Finagle-mysql-services
Scala
1
star
16

reactive-cookbook

This is a set of recipes for common reactive patterns, in common reactive libraries, for common languages.
Java
1
star
17

shoeset

A 7z archive library
Rust
1
star
18

pandaswarm-hyper

JavaScript
1
star