{"id":13527536,"url":"https://github.com/matthaywardwebdesign/node-security","last_synced_at":"2025-04-01T09:31:42.369Z","repository":{"id":75595759,"uuid":"163503123","full_name":"matthaywardwebdesign/node-security","owner":"matthaywardwebdesign","description":":key: The easiest way to control what npm modules can access","archived":false,"fork":false,"pushed_at":"2019-01-02T09:33:45.000Z","size":45,"stargazers_count":483,"open_issues_count":7,"forks_count":14,"subscribers_count":23,"default_branch":"master","last_synced_at":"2024-08-02T06:24:34.416Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/matthaywardwebdesign.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null}},"created_at":"2018-12-29T10:46:42.000Z","updated_at":"2024-05-31T18:18:10.000Z","dependencies_parsed_at":"2023-06-07T01:00:14.704Z","dependency_job_id":null,"html_url":"https://github.com/matthaywardwebdesign/node-security","commit_stats":null,"previous_names":[],"tags_count":1,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/matthaywardwebdesign%2Fnode-security","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/matthaywardwebdesign%2Fnode-security/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/matthaywardwebdesign%2Fnode-security/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/matthaywardwebdesign%2Fnode-security/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/matthaywardwebdesign","download_url":"https://codeload.github.com/matthaywardwebdesign/node-security/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":222715679,"owners_count":17027699,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-01T06:01:50.573Z","updated_at":"2024-11-02T12:31:48.380Z","avatar_url":"https://github.com/matthaywardwebdesign.png","language":"JavaScript","readme":"\u003cimg src=\"https://i.imgur.com/08h1RM5.png\" width=\"500px\" alt=\"NodeSecurity\" /\u003e\n\n# NodeSecurity\n:key: The easiest way to control what npm modules can access\n\n\u003ca href=\"https://www.npmjs.org/package/@matthaywardwebdesign/node-security\"\u003e\u003cimg src=\"https://img.shields.io/npm/v/@matthaywardwebdesign/node-security.svg?style=flat\" alt=\"npm\"\u003e\u003c/a\u003e\n\u003ca href=\"https://circleci.com/gh/matthaywardwebdesign/node-security\"\u003e\u003cimg alt=\"build\" src=\"https://img.shields.io/circleci/project/github/matthaywardwebdesign/node-security/master.svg\"/\u003e\u003c/a\u003e\n\u003ca href=\"https://join.slack.com/t/node-security/shared_invite/enQtNTEzNjM1NzQxNzgwLTljYmJlMWUzYmE5MWUxOWYxODAyNGQzMDA1Yjc5ZDM2Y2NjNDAzMmMwMmI2ZDRlYjE1NzA4ZGQyMmI1NDc5MTU\"\u003e\u003cimg src=\"https://img.shields.io/badge/slack-join-ff69b4.svg?logo=slack\" alt=\"slack\" /\u003e\u003c/a\u003e\n[![All Contributors](https://img.shields.io/badge/all_contributors-3-orange.svg?style=flat-square)](#contributors)\n\n**NOTE:** This package has not gone through any form of security testing! **Please do not use it to ensure security at this time.** Issues questioning the feasability of our current approach are still outstanding.\n- [https://github.com/matthaywardwebdesign/node-security/issues/7](https://github.com/matthaywardwebdesign/node-security/issues/7)\n\nIf you're experienced in this area ( I am not ) please contribute!\n\n## Overview\nThis repo / package was inspired a Medium post by David Gilbertson - [https://hackernoon.com/npm-package-permissions-an-idea-441a02902d9b](https://hackernoon.com/npm-package-permissions-an-idea-441a02902d9b)\n\n\u003e Imagine a package, created and maintained by npm (or someone equally trustworthy and farsighted). Let’s call it @npm/permissions.\n\n\u003e You would include this @npm/permissions package as the first import in your app, either in a file, or you run your app like node -r @npm/permissions index.js.\n\n\u003e This would override require() to enforce the permissions stated in a package’s package.json permissions property.\n\nWith the exception of some small differences, like not using package.json to manage permissions, this package\nattempts to accomplish this goal.\n\n## How it works\nNodeSecurity works by overriding the Node.JS `require()` function, allowing us to enforce access constraints.\n\n## Usage\n\n```bash\nnpm install @matthaywardwebdesign/node-security\n```\n\nFirstly include NodeSecurity in your project at the very top of your applications entrypoint (before any other requires) and create a new instance.\n\n```javascript\n  const nodesecurity = require( '@matthaywardwebdesign/node-security' );\n  const NodeSecurity = new nodesecurity();\n```\n\n**Note:** If you're using the ES6 imports you'll need to create a seperate file that is imported at the entrypoint\nof your application. Without doing this it won't be possible to configure NodeSecurity before any other modules are loaded.\n\n**Configure NodeSecurity**\n\n```javascript\nNodeSecurity.configure({\n  /**\n   * The 'core' section controls\n   * global access to built in modules. By default\n   * all core modules are disabled.\n   */\n  core: {\n    fs: true,\n    path: true,\n    /* You can disable specific module functions */\n    os: {\n      arch: false,\n      cpus: false,\n    }\n  },\n  /**\n   * The 'module' section controls\n   * per module access to built in modules. This allows\n   * us to disable access globally by allow it on a per\n   * module basis.\n   */\n  module: {\n    axios: {\n      http: true,\n      https: true,\n    }\n  },\n  /**\n   * The 'env' section controls what environment\n   * variables are accessible via process.env\n   */\n  env: {\n    API_KEY: true,\n    API_HOST: true,\n  },\n  /**\n   * The 'sharedObjects' section controls whether\n   * or not C++ addons can be loaded. Defaults to\n   * false\n   */\n  sharedObjects: false,\n});\n```\n\n:tada: **And you're done!** :tada:\n\nAll required / imported modules from this point onwards will have to be allowed by our configuration.\n\n## Example\n\nHere's an example script!\n\n```javascript\n/* Import and create a new instance of NodeSecurity */\nconst nodesecurity = require( '@matthaywardwebdesign/node-security' );\nconst NodeSecurity = new nodesecurity();\n\n/* Configure NodeSecurity */\nNodeSecurity.configure({\n  core: {\n    /* Define global fs access */\n    fs: false,\n    /* Enable other core modules we'll need */\n    stream: true,\n    util: true,\n    path: true,\n    os: {\n      /* Deny access to OS arch */\n      arch: false,\n    },\n    assert: true,\n  },\n  module: {\n    /* Allow fs-extra to access fs */\n    'fs-extra': {\n      fs: true,\n    }\n  }\n});\n\n/* This won't throw an error as fs-extra is allowed to access fs */\nrequire( 'fs-extra' );\n\n/* Accessing fs directly will throw an error */\nrequire( 'fs' );\n\n/* Accessing os.arch will throw an error */\nconst os = require( 'os' );\nos.arch();\n```\n\n## Plugins\n\nYou can extend the functionality of NodeSecurity by creating a plugin. For example you could create a plugin to allow http/s requests to only be made to specific servers.\n\nAn example plugin can be found at `src/plugins/NodeSecurityPlugin.js`\n\nPlugins work by providing a way to override the default functionality of a core module. By default every Node core module (fs, os, etc) has a plugin loaded that allows for module methods to be disabled.\n\nIncluding your own plugin is as simple as adding a plugins section to your configuration.\n\n```javascript\nplugins: {\n  http: MyHTTPPlugin\n}\n```\n\n## Contributing\n\nBuilding the package\n\n```\nnpm run build\n```\n\nRunning the test suite\n\n```bash\nnpm test\n```\n\n## Ideas\n- Include a set of default plugins that allow for more granular filesystem and network access.\n\n## Contributors\n\nThanks goes to these wonderful people ([emoji key](https://github.com/kentcdodds/all-contributors#emoji-key)):\n\n\u003c!-- ALL-CONTRIBUTORS-LIST:START - Do not remove or modify this section --\u003e\n\u003c!-- prettier-ignore --\u003e\n| [\u003cimg src=\"https://avatars0.githubusercontent.com/u/6156252?v=4\" width=\"100px;\"/\u003e\u003cbr /\u003e\u003csub\u003e\u003cb\u003eMatt Hayward\u003c/b\u003e\u003c/sub\u003e](http://www.matthayward.com.au)\u003cbr /\u003e[💻](https://github.com/matthaywardwebdesign/node-security/commits?author=matthaywardwebdesign \"Code\") [📖](https://github.com/matthaywardwebdesign/node-security/commits?author=matthaywardwebdesign \"Documentation\") | [\u003cimg src=\"https://avatars2.githubusercontent.com/u/3534236?v=4\" width=\"100px;\"/\u003e\u003cbr /\u003e\u003csub\u003e\u003cb\u003eJake Bolam\u003c/b\u003e\u003c/sub\u003e](https://jakebolam.com)\u003cbr /\u003e[🚇](#infra-jakebolam \"Infrastructure (Hosting, Build-Tools, etc)\") | [\u003cimg src=\"https://avatars2.githubusercontent.com/u/885648?v=4\" width=\"100px;\"/\u003e\u003cbr /\u003e\u003csub\u003e\u003cb\u003eQix\u003c/b\u003e\u003c/sub\u003e](https://github.com/Qix-)\u003cbr /\u003e[🤔](#ideas-Qix- \"Ideas, Planning, \u0026 Feedback\") |\n| :---: | :---: | :---: |\n\u003c!-- ALL-CONTRIBUTORS-LIST:END --\u003e\n\nThis project follows the [all-contributors](https://github.com/kentcdodds/all-contributors) specification. Contributions of any kind welcome!\n","funding_links":[],"categories":["JavaScript","📦 Legacy \u0026 Inactive Projects"],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmatthaywardwebdesign%2Fnode-security","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmatthaywardwebdesign%2Fnode-security","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmatthaywardwebdesign%2Fnode-security/lists"}