-
-
Save phxgg/737198b6e945aba7046e9f9328576271 to your computer and use it in GitHub Desktop.
| #!/usr/bin/env bash | |
| set -euo pipefail | |
| packages_json='[ | |
| {"name":"backslash","version":"0.2.1"}, | |
| {"name":"chalk-template","version":"1.1.1"}, | |
| {"name":"supports-hyperlinks","version":"4.1.1"}, | |
| {"name":"has-ansi","version":"6.0.1"}, | |
| {"name":"simple-swizzle","version":"0.2.3"}, | |
| {"name":"color-string","version":"2.1.1"}, | |
| {"name":"error-ex","version":"1.3.3"}, | |
| {"name":"color-name","version":"2.0.1"}, | |
| {"name":"is-arrayish","version":"0.3.3"}, | |
| {"name":"slice-ansi","version":"7.1.1"}, | |
| {"name":"color-convert","version":"3.1.1"}, | |
| {"name":"wrap-ansi","version":"9.0.1"}, | |
| {"name":"ansi-regex","version":"6.2.1"}, | |
| {"name":"supports-color","version":"10.2.1"}, | |
| {"name":"strip-ansi","version":"7.1.1"}, | |
| {"name":"chalk","version":"5.6.1"}, | |
| {"name":"debug","version":"4.4.2"}, | |
| {"name":"ansi-styles","version":"6.2.2"}, | |
| {"name":"proto-tinker-wc","version":"0.1.87"}, | |
| {"name":"duckdb","version":"1.3.3"}, | |
| {"name":"@duckdb/node-api","version":"1.3.3"}, | |
| {"name":"@duckdb/node-bindings","version":"1.3.3"} | |
| ]' | |
| if ! command -v jq >/dev/null 2>&1; then | |
| echo "Error: 'jq' is required (to parse the JSON array-of-objects)." | |
| exit 1 | |
| fi | |
| names=$(printf '%s\n' "$packages_json" | jq -r '.[].name' | tr '\n' ' ') | |
| echo "Running 'npm cache ls' for given packages..." | |
| npm_output="$(npm cache ls $names 2>/dev/null || true)" | |
| echo | |
| echo "Packages found in npm cache:" | |
| tmpfile=$(mktemp) | |
| trap 'rm -f "$tmpfile"' EXIT | |
| # loop through package/version | |
| printf '%s\n' "$packages_json" | jq -r '.[] | "\(.name)\t\(.version)"' | \ | |
| while IFS=$'\t' read -r name version; do | |
| if [ -n "$name" ] && printf '%s\n' "$npm_output" | grep -q "${name}-${version}"; then | |
| echo "• $name@$version" | |
| echo 1 >> "$tmpfile" | |
| fi | |
| done | |
| if ! grep -q 1 "$tmpfile"; then | |
| echo "(none)" | |
| fi |
Thanks for providing this... But we probably need a version of this that checks not just npm cache, but also yarn cache, pnpm cache, etc...
@joeskeen I don't use yarn personally, but I hacked together a quick fork for pnpm: https://gist.github.com/qsniyg/423ad9d8f65e3af301e534f61a73cec3
@phxgg Could you add {"name":"proto-tinker-wc","version":"0.1.87"} ? As per: https://www.aikido.dev/blog/npm-debug-and-chalk-packages-compromised
📣 @phxgg @qsniyg @ernestognw and others - I have created a fork that does a much more broad scan including for Yarn and PNPM global caches and all package.json, Dockerfiles, etc. under the current working directory.
https://gist.github.com/joeskeen/202fe9f6d7a2f624097962507c5ab681
Edit: @qsniyg I've updated my fork to include that new package, thanks for reporting it!
Update: I've updated my script to group issues by project and show a suggested remediation commands section at the end which should give you what you need to fix all the issues. I ran it on the root directory containing all of all my cloned repositories and ended up with 235 issues! But it grouped them and for me it comes down to updating dependencies in 13 projects.
Thanks! 😄