Created
February 10, 2021 11:55
-
-
Save miglen/1caf19ace61e33e3e7d1c29acb648e37 to your computer and use it in GitHub Desktop.
Dirty check for non existing public npm dependencies
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/env python3 | |
| # https://www.bleepingcomputer.com/news/security/researcher-hacks-over-35-tech-firms-in-novel-supply-chain-attack/ | |
| # The following script finds all package.json files in the current dir and checks if there are referenced any | |
| # dependencies that no public package is available for, making your application vulnerable to supply-chain attack. | |
| # Simply run ./packagejson.py in your root repository direcotory. | |
| import json | |
| import requests | |
| from pathlib import Path | |
| import urllib.parse | |
| def scan_package(file="./package.json"): | |
| with open(file, "r") as f: | |
| data = json.load(f) | |
| dep_keys = ["dependencies", "devDependencies", "peerDependencies", | |
| "bundledDependencies", "optionalDependencies"] | |
| print(f"Checking file {file}") | |
| for dep in dep_keys: | |
| if dep in data.keys(): | |
| for depen in data[dep]: | |
| package = urllib.parse.quote_plus(depen) | |
| if requests.get(f"https://api.npms.io/v2/package/{package}").status_code != 200: | |
| print(f"{file} - {dep} - {depen}") | |
| for path in Path('./').rglob('package.json'): | |
| scan_package(path) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment