UNPKG

secure-dep-scanner

Version:

A comprehensive security scanner for detecting suspicious dependencies, malicious packages, and vulnerabilities in Node.js projects.

github.com/livresoltech/secure-dep-scanner

livresoltech/secure-dep-scanner

118 lines (89 loc) 3.28 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
# Changelog All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). ## [Unreleased] ### Added - Enhanced documentation structure - Contributing guidelines - Security policy documentation ### Changed - Improved README.md with proper package description - Moved security policy to SECURITY.md - Enhanced user experience documentation ## [1.0.0] - 2024-06-XX ### Added - Initial release of Secure Dependency Scanner - Comprehensive package.json dependency scanning - Node_modules content analysis for malicious patterns - Typosquatting detection for malicious package name variations - Integration with npm audit for vulnerability scanning - Suspicious IP address detection - Command execution pattern detection - Whitelist of legitimate packages to reduce false positives - Age-based detection for potential typosquatting - Severity-based issue categorization (Critical, High, Medium, Low) - Comprehensive security reporting with actionable recommendations - Zero-dependency architecture to prevent supply-chain attacks - Support for both global installation and npx usage - Programmatic API for integration into other tools - Exit codes for CI/CD integration ### Security Features - Detection of known malicious packages - Pattern-based threat detection - Suspicious content scanning - Deprecated package identification - Real-time threat intelligence updates ### Technical Features - Fast scanning performance (1-3 seconds typical) - Cross-platform support (Linux, macOS, Windows) - Node.js 14+ compatibility - Self-contained executable - Transparent detection logic --- ## Version History ### Version 1.0.0 - **Release Date**: June 2024 - **Status**: Initial Release - **Key Features**: Core security scanning capabilities - **Target Audience**: Node.js developers and security professionals --- ## Future Roadmap ### Version 1.1.0 (Planned) - Enhanced pattern detection - Performance optimizations - Additional package manager support - Improved reporting formats ### Version 1.2.0 (Planned) - Configuration file support - Custom rule definitions - Integration APIs - Advanced threat intelligence ### Version 2.0.0 (Future) - Machine learning-based detection - Real-time monitoring - Cloud integration - Enterprise features --- ## Migration Guide ### From Pre-release Versions - No migration required for version 1.0.0 - All APIs are stable and backward compatible - Configuration remains the same --- ## Deprecation Policy - Deprecated features will be announced 6 months in advance - Migration guides will be provided for all deprecated features - Security-critical changes may have shorter deprecation periods --- ## Support Policy ### Version Support - **Current Version**: Full support - **Previous Major Version**: Security updates only - **Older Versions**: No support ### Support Timeline - **Security Updates**: 12 months after release - **Bug Fixes**: 6 months after release - **Feature Updates**: Current version only --- **Note**: This changelog is maintained by the development team. For detailed technical changes, please refer to the git commit history.