prantlf · March 20, 2022 17:33
diff --git a/trust-npm.sh b/trust-npm.sh
 #!/bin/sh

 # Look for NPM modules of the authors below in the local node_modules.

 # Author of left-pad unpublished their modules from the NPM registry,
 # which broke a lot of packages.
 #  https://www.theregister.com/2016/03/23/npm_left_pad_chaos/
 #  https://medium.com/@mproberts/a-discussion-about-the-breaking-of-the-internet-3d4d2a83aa4d
 #  https://blog.npmjs.org/post/141577284765/kik-left-pad-and-npm
 #  https://www.reddit.com/r/programming/comments/4bjss2/an_11_line_npm_package_called_leftpad_with_only/
 #  https://github.com/left-pad/left-pad/issues/4

 # Author of node-ipc added malware to their modules, which was deleting and rewriting file content,
 # renaming files, creating new files and later printed anti-war texts on the console.
 #  https://www.theregister.com/2022/03/18/protestware_javascript_node_ipc/
 #  https://snyk.io/blog/peacenotwar-malicious-npm-node-ipc-package-vulnerability/
 #  https://security.snyk.io/vuln/SNYK-JS-NODEIPC-2426370
 #  https://github.com/RIAEvangelist/node-ipc/pull/239
 #  https://github.com/RIAEvangelist/node-ipc/issues/530
 #  https://developers.slashdot.org/story/22/03/18/188231/famous-npm-package-deletes-files-to-protest-ukraine-war
 #  https://github.com/vuejs/vue-cli/issues/7054

 # Author of colrs and faker broke the interface of their modules and printed
 # texts on the console, so that rich companies would consider sponsoring his work.
 #  https://www.theregister.com/2022/01/10/npm_fakerjs_colorsjs/
 #  https://github.com/Marak/colors.js/issues/340

 # Author of terraform-aws-ec2-instance required to agree with their vulgar
 # accusations, optherwise their module failed installing.
 #  https://beny23.github.io/posts/on_weaponisation_of_open_source/

 # If the following commands print nothing or only errors,
 # your project does not depend on modules from the authors above.

 echo "Looking for peacenotwar..."
 npm ls --json peacenotwar | pnpx jq ".dependencies | keys? | unique | .[]"
 echo "Looking for node-ipc..."
 npm ls --json node-ipc | pnpx jq ".dependencies | keys? | unique | .[]"
 echo "Looking for faker..."
 npm ls --json faker | pnpx jq ".dependencies | keys? | unique | .[]"
 echo "Looking for colors..."
 npm ls --json colors | pnpx jq ".dependencies | keys? | unique | .[]"
 echo "Looking for authors..."
 pnpx find-npm-by-author -A "Brandon Nozaki Mille" -R riaevangelist \
 -A azer -R azer -A "Marak Squires" -R marak \
 -A "Anton Babenko" -R terraform-aws-modules
	#!/bin/sh

	# Look for NPM modules of the authors below in the local node_modules.

	# Author of left-pad unpublished their modules from the NPM registry,
	# which broke a lot of packages.
	# https://www.theregister.com/2016/03/23/npm_left_pad_chaos/
	# https://medium.com/@mproberts/a-discussion-about-the-breaking-of-the-internet-3d4d2a83aa4d
	# https://blog.npmjs.org/post/141577284765/kik-left-pad-and-npm
	# https://www.reddit.com/r/programming/comments/4bjss2/an_11_line_npm_package_called_leftpad_with_only/
	# https://github.com/left-pad/left-pad/issues/4

	# Author of node-ipc added malware to their modules, which was deleting and rewriting file content,
	# renaming files, creating new files and later printed anti-war texts on the console.
	# https://www.theregister.com/2022/03/18/protestware_javascript_node_ipc/
	# https://snyk.io/blog/peacenotwar-malicious-npm-node-ipc-package-vulnerability/
	# https://security.snyk.io/vuln/SNYK-JS-NODEIPC-2426370
	# https://github.com/RIAEvangelist/node-ipc/pull/239
	# https://github.com/RIAEvangelist/node-ipc/issues/530
	# https://developers.slashdot.org/story/22/03/18/188231/famous-npm-package-deletes-files-to-protest-ukraine-war
	# https://github.com/vuejs/vue-cli/issues/7054

	# Author of colrs and faker broke the interface of their modules and printed
	# texts on the console, so that rich companies would consider sponsoring his work.
	# https://www.theregister.com/2022/01/10/npm_fakerjs_colorsjs/
	# https://github.com/Marak/colors.js/issues/340

	# Author of terraform-aws-ec2-instance required to agree with their vulgar
	# accusations, optherwise their module failed installing.
	# https://beny23.github.io/posts/on_weaponisation_of_open_source/

	# If the following commands print nothing or only errors,
	# your project does not depend on modules from the authors above.

	echo "Looking for peacenotwar..."
	npm ls --json peacenotwar \| pnpx jq ".dependencies \| keys? \| unique \| .[]"
	echo "Looking for node-ipc..."
	npm ls --json node-ipc \| pnpx jq ".dependencies \| keys? \| unique \| .[]"
	echo "Looking for faker..."
	npm ls --json faker \| pnpx jq ".dependencies \| keys? \| unique \| .[]"
	echo "Looking for colors..."
	npm ls --json colors \| pnpx jq ".dependencies \| keys? \| unique \| .[]"
	echo "Looking for authors..."
	pnpx find-npm-by-author -A "Brandon Nozaki Mille" -R riaevangelist \
	-A azer -R azer -A "Marak Squires" -R marak \
	-A "Anton Babenko" -R terraform-aws-modules