{"id":14155543,"url":"https://github.com/nodejs/citgm","last_synced_at":"2025-10-08T02:22:53.005Z","repository":{"id":35274127,"uuid":"39534835","full_name":"nodejs/citgm","owner":"nodejs","description":"Canary in the Gold Mine","archived":false,"fork":false,"pushed_at":"2025-09-24T06:42:00.000Z","size":1344,"stargazers_count":582,"open_issues_count":75,"forks_count":156,"subscribers_count":34,"default_branch":"main","last_synced_at":"2025-09-24T08:34:07.073Z","etag":null,"topics":["javascript","mit","node","nodejs","npm-module","test"],"latest_commit_sha":null,"homepage":"https://www.npmjs.com/package/citgm","language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/nodejs.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE.md","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":"AUTHORS","dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null},"funding":{"github":"nodejs","open_collective":"nodejs"}},"created_at":"2015-07-22T23:16:47.000Z","updated_at":"2025-09-24T06:42:04.000Z","dependencies_parsed_at":"2023-12-27T12:25:30.651Z","dependency_job_id":"a1138e15-d31a-4e97-b29f-4d3c799dda40","html_url":"https://github.com/nodejs/citgm","commit_stats":{"total_commits":986,"total_committers":69,"mean_commits":"14.289855072463768","dds":0.7789046653144016,"last_synced_commit":"83ffabd74ef2ab309301678ec0e872d630870ba4"},"previous_names":[],"tags_count":217,"template":false,"template_full_name":null,"purl":"pkg:github/nodejs/citgm","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nodejs%2Fcitgm","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nodejs%2Fcitgm/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nodejs%2Fcitgm/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nodejs%2Fcitgm/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/nodejs","download_url":"https://codeload.github.com/nodejs/citgm/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nodejs%2Fcitgm/sbom","scorecard":{"id":692606,"data":{"date":"2025-08-11","repo":{"name":"github.com/nodejs/citgm","commit":"79167b09c28bb8a81ad824f8c48d8c85a7cac010"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":5.1,"checks":[{"name":"Maintained","score":1,"reason":"1 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 1","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"Code-Review","score":7,"reason":"Found 23/29 approved changesets -- score normalized to 7","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"Token-Permissions","score":0,"reason":"detected GitHub workflow tokens with excessive permissions","details":["Info: topLevel 'contents' permission set to 'read': .github/workflows/close-stalled.yml:13","Warn: no topLevel permission defined: .github/workflows/nodejs.yml:1","Warn: no topLevel permission defined: .github/workflows/test-module.yml:1","Info: no jobLevel write permissions found"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"Pinned-Dependencies","score":0,"reason":"dependency not pinned by hash detected -- score normalized to 0","details":["Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/nodejs.yml:17: update your workflow using https://app.stepsecurity.io/secureworkflow/nodejs/citgm/nodejs.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/nodejs.yml:22: update your workflow using https://app.stepsecurity.io/secureworkflow/nodejs/citgm/nodejs.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/nodejs.yml:35: update your workflow using https://app.stepsecurity.io/secureworkflow/nodejs/citgm/nodejs.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test-module.yml:48: update your workflow using https://app.stepsecurity.io/secureworkflow/nodejs/citgm/test-module.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test-module.yml:55: update your workflow using https://app.stepsecurity.io/secureworkflow/nodejs/citgm/test-module.yml/main?enable=pin","Warn: npmCommand not pinned by hash: .github/workflows/nodejs.yml:28","Warn: npmCommand not pinned by hash: .github/workflows/test-module.yml:61","Info: 1 out of 5 GitHub-owned GitHubAction dependencies pinned","Info: 0 out of 1 third-party GitHubAction dependencies pinned","Info: 0 out of 2 npmCommand dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Vulnerabilities","score":10,"reason":"0 existing vulnerabilities detected","details":null,"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}},{"name":"License","score":9,"reason":"license file detected","details":["Info: project has a license file: LICENSE.md:0","Warn: project license file does not contain an FSF or OSI license."],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"Signed-Releases","score":-1,"reason":"no releases found","details":null,"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Branch-Protection","score":3,"reason":"branch protection is not maximal on development and all release branches","details":["Info: 'allow deletion' disabled on branch 'main'","Info: 'force pushes' disabled on branch 'main'","Info: 'branch protection settings apply to administrators' is required to merge on branch 'main'","Warn: could not determine whether codeowners review is allowed","Warn: no status checks found to merge onto branch 'main'","Warn: PRs are not required to make changes on branch 'main'; or we don't have data to detect it.If you think it might be the latter, make sure to run Scorecard with a PAT or use Repo Rules (that are always public) instead of Branch Protection settings"],"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"Security-Policy","score":10,"reason":"security policy file detected","details":["Info: security policy file detected: github.com/nodejs/.github/SECURITY.md:1","Info: Found linked content: github.com/nodejs/.github/SECURITY.md:1","Info: Found disclosure, vulnerability, and/or timelines in security policy: github.com/nodejs/.github/SECURITY.md:1","Info: Found text in security policy: github.com/nodejs/.github/SECURITY.md:1"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"SAST","score":0,"reason":"SAST tool is not run on all commits -- score normalized to 0","details":["Warn: 0 commits out of 25 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}}]},"last_synced_at":"2025-08-22T02:39:44.978Z","repository_id":35274127,"created_at":"2025-08-22T02:39:44.978Z","updated_at":"2025-08-22T02:39:44.978Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":278877102,"owners_count":26061382,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-10-08T02:00:06.501Z","response_time":56,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["javascript","mit","node","nodejs","npm-module","test"],"created_at":"2024-08-17T08:03:48.866Z","updated_at":"2025-10-08T02:22:52.990Z","avatar_url":"https://github.com/nodejs.png","language":"JavaScript","readme":"## The Canary in the Goldmine\n\ncitgm is a simple tool for pulling down an arbitrary module from npm and testing\nit using a specific version of the node runtime.\n\n[![Build Status](https://github.com/nodejs/citgm/actions/workflows/nodejs.yml/badge.svg?branch=main)](https://github.com/nodejs/citgm/actions/workflows/nodejs.yml)\n\nThe Node.js project uses citgm to smoke test our releases and controversial\nchanges. The Jenkins job that utilizes citgm can be found\n[on our CI](https://ci.nodejs.org/view/Node.js-citgm/job/citgm-smoker/).\n\nWatch the talk by [@MylesBorins](https://github.com/MylesBorins) explaining it in great detail - [onCITGM Diaries](https://www.youtube.com/watch?v=8is8iKlo8oQ)\n\n## Installation\n\n```\nnpm install -g citgm\n```\n\n## Usage\n\n```\ncitgm --help\n```\n\n```\nUsage: citgm [options] \u003cmodule\u003e\n\nOptions:\n\n -h, --help output usage information\n -V, --version output the version number\n --config Path to a JSON config file\n -v, --verbose, --loglevel [level], Verbose output (silly, verbose, info, warn, error)\n -q, --npm-loglevel [level] Verbose output (silent, error, warn, http, info, verbose, silly)\n -l, --lookup \u003cpath\u003e Use the lookup table provided at \u003cpath\u003e\n -d, --nodedir \u003cpath\u003e Path to the node source to use when compiling native addons\n -p, --test-path \u003cpath\u003e Path to prepend to $PATH when running tests\n -n, --no-color Turns off colorized output\n -s, --su Allow running the tool as root.\n -m, --markdown Output results in markdown\n -t, --tap [path] Output results in tap with optional file path\n --customTest \u003cpath\u003e Run a custom node test script instead of \"npm test\"\n -x, --junit [path] Output results in junit xml with optional file path\n -o, --timeout \u003clength\u003e Set timeout for npm install\n -c, --sha \u003ccommit-sha\u003e Install module from commit-sha, branch or tag\n -u, --uid \u003cuid\u003e Set the uid (posix only)\n -g, --gid \u003cuid\u003e Set the gid (posix only)\n -a, --append Turns on append results to file mode rather than replace\n --tmpDir \u003cpath\u003e Directory to test modules in\n```\n\n### Examples:\n\nTest the latest underscore module or a specific version:\n`citgm underscore@latest` or `citgm underscore@1.3.0`\n\nTest a local module: `citgm ./my-module`\n\nTest using a tar.gz from Github:\n`citgm http://github.com/jasnell/activitystrea.ms/archive/HEAD.tar.gz`\n\nWhen using a JSON config file, the properties need to be the same as the\nlonger-form CLI options. You can also use environment variables. For example,\n`CITGM_TEST_PATH=$HOME/bin` is the same as `--test-path $HOME/bin`.\n\nThe tool requires online access to the npm registry to run. If you want to point\nto a private npm registry, then you'll need to set that up in your npm config\nseparately before running citgm.\n\nBy default, the tool will prevent users from running as root unless the `-s` or\n`--su` CLI switch is set. If the tool is launched as root, it will attempt to\nsilently and automatically downgrade permissions. If it cannot downgrade, it\nwill print an error and exit the process.\n\n## citgm-all\n\nIf you want to run all the test suites for all modules found in a lookup table\nuse citgm-all. It will automate the running of all tests and give itemized\nresults at the end. It has all the same options as citgm except for the added\nmarkdown option which will print the results in markdown.\n\n```\nUsage: citgm-all [options]\n\nOptions:\n\n -h, --help output usage information\n -V, --version output the version number\n --config Path to a JSON config file\n -v, --verbose, --loglevel [level], Verbose output (silly, verbose, info, warn, error)\n -q, --npm-loglevel [level] Verbose output (silent, error, warn, http, info, verbose, silly)\n -l, --lookup \u003cpath\u003e Use the lookup table provided at \u003cpath\u003e\n -d, --nodedir \u003cpath\u003e Path to the node source to use when compiling native addons\n -p, --test-path \u003cpath\u003e Path to prepend to $PATH when running tests\n -n, --no-color Turns off colorized output\n -s, --su Allow running the tool as root.\n -m, --markdown Output results in markdown\n -t, --tap [path] Output results in tap with optional file path\n --customTest \u003cpath\u003e Run a custom node test script instead of \"npm test\"\n -x, --junit [path] Output results in junit xml with optional file path\n -o, --timeout \u003clength\u003e Set timeout for npm install\n -f, --fail-flaky Ignore flaky flags. Do not ignore any failures.\n -u, --uid \u003cuid\u003e Set the uid (posix only)\n -g, --gid \u003cuid\u003e Set the gid (posix only)\n -a, --append Turns on append results to file mode rather than replace\n -j, --parallel \u003cnumber\u003e Run tests in parallel\n -J, --autoParallel Run tests in parallel (automatically detect core count)\n --tmpDir \u003cpath\u003e Directory to test modules in\n --includeTags tag1 tag2 Only test modules from the lookup that contain a matching tag field\n --excludeTags tag1 tag2 Specify which tags to skip from the lookup (takes priority over includeTags)\n Module names are automatically added as tags.\n -y, --yarn Install and test the project using yarn instead of npm\n --pnpm Install and test the project using pnpm instead of npm\n```\n\nWhen using a JSON config file, the properties need to be the same as the\nlonger-form CLI options. You can also use environment variables. For example,\n`CITGM_TEST_PATH=$HOME/bin` is the same as `--test-path $HOME/bin`.\n\nYou can also test your own list of modules:\n\n```\ncitgm-all -l ./path/to/my_lookup.json\n```\n\nFor syntax, see [lookup.json](./lib/lookup.json), the available attributes are:\n\n```\n\"npm\": true Download the module from npm instead of github\n\"head\": true Use the head of the default branch\n\"prefix\": \"v\" Specify the prefix used in the module version.\n\"flaky\": true Ignore failures\n\"skip\": true Completely skip the module\n\"expectFail\" Expect the module to fail, error if it passes\n\"repo\": \"https://github.com/pugjs/jade\" - Use a different github repo\n\"stripAnsi\": true Strip ansi data from output stream of npm\n\"sha\": \"\u003cgit-commit-sha\u003e\" Test against a specific commit\n\"envVar\" Pass an environment variable before running\n\"install\": [\"install\", \"--param1\", \"--param2\"] - Array of command line parameters passed to `npm` or `yarn` or `pnpm` as install arguments\n\"maintainers\": [\"user1\", \"user2\"] - List of module maintainers to be contacted with issues\n\"scripts\": [\"script1\", \"script2\"] - List of scripts from package.json to run instead of 'test'\n\"tags\": [\"tag1\", \"tag2\"] Specify which tags apply to the module\n\"useGitClone\": true Use a shallow git clone instead of downloading the module\n\"ignoreGitHead\": Ignore the gitHead field if it exists and fallback to using github tags\n\"yarn\": Install and test the project using yarn instead of npm\n\"pnpm\": Install and test the project using pnpm instead of npm\n\"timeout\": Number of milliseconds before timeout. Applies separately to `install` and `test`\n```\n\nIf you want to pass options to npm, eg `--registry`, you can usually define an\nenvironment variable, eg `\"npm_config_registry\": \"https://www.xyz.com\"`.\n\n## Testing\n\nYou can run the test suite using npm\n\n```bash\nnpm run test\n```\n\nThis will run both a linter and a tap based unit test suite.\n\n## Requirements for inclusion in Node.js Citgm runs\n\nIf you want to submit a module to be run in the Node.js CI, see the\n[requirements](./CONTRIBUTING.md#submitting-a-module-to-citgm).\n\n## Notes\n\nYou can identify the module to be tested using the same syntax supported by the\n`npm install` CLI command\n\n```\ncitgm activitystrea.ms@latest\ncitgm git+http://github.com/jasnell/activitystrea.ms\n```\n\nQuite a few modules published to npm do not have their tests included, so we end\nup having to go directly to github. The most reliable approach is pulling down a\ntar ball for a specific branch from github:\n\n```\ncitgm https://github.com/caolan/async/archive/HEAD.tar.gz\n```\n\nTo simplify working with modules that we know need special handling, a lookup\ntable mechanism is provided. This mechanism allows citgm to substitute certain\nknown npm specs (lodash for instance) with their github tarball alternatives.\nThe lookup mechanism is switched on using the `-l` or `--lookup` command line\noption.\n\n```\ncitgm lodash@latest\n```\n\nThere is a built in lookup.json in the lib directory that will be used by\ndefault. If you want to use an alternative lookup.json file, pass in the path:\n\n```\ncitgm --lookup ../path/to/lookup.json lodash@latest\n```\n\nFor the most part, the built in table should be sufficient for general use.\n\nYou can run a custom test script instead of `npm test` CLI command:\n\n```\ncitgm --customTest path/to/customTestScript\n```\n\nIf you want to get code coverage results, your custom test script may look like:\n\n```js\n'use strict';\n\nconst { spawnSync } = require('child_process');\nconst path = require('path');\nconst packageName = require(path.join(process.cwd(), 'package.json')).name;\n\nconst coverageProcess = spawnSync('nyc', [\n '--reporter=json-summary',\n `--report-dir=${process.env.WORKSPACE}/${packageName}`,\n 'npm',\n 'test'\n]);\n\nconst coverageSummary = require(path.join(\n process.env.WORKSPACE,\n packageName,\n 'coverage-summary.json'\n));\nconsole.log(\n packageName,\n 'total coverage result(%)',\n coverageSummary.total.lines.pct\n);\n```\n\nYou will have to globally install dependencies from the `customTestScript`, in\nthis case:\n\n```\nnpm install -g nyc\n```\n\n### Additional Notes:\n\n- You may experience some wonkiness on Windows as the tool has not been fully\n tested on that platform.\n\n- The tool uses the npm and node in the PATH. To change which node and npm the\n tool uses, change the PATH before launching citgm\n\n- Running the tool in verbose mode (CLI switch `-v silly`) outputs significantly\n more detail (which is likely what we'll want in a fully automated run)\n\n- If you've taken a look at the dependencies for this tool, you'll note that\n there are quite a few, some of which may not be strictly required. The reason\n for the large number of dependencies is that this _is_ a testing tool, and\n many of the dependencies are broadly used. A large part of the reason for\n using them is to test that they'll work properly using the version of node\n being tested.\n\n- PRs are welcome!\n\n## CITGM team\n\n\u003c!-- ncu-team-sync.team(nodejs/citgm) --\u003e\n\n* [@BridgeAR](https://github.com/BridgeAR) - Ruben Bridgewater\n* [@ljharb](https://github.com/ljharb) - Jordan Harband\n* [@lukekarrys](https://github.com/lukekarrys) - Luke Karrys\n* [@MylesBorins](https://github.com/MylesBorins) - Myles Borins\n* [@richardlau](https://github.com/richardlau) - Richard Lau\n* [@targos](https://github.com/targos) - Michaƫl Zasso\n\n\u003c!-- ncu-team-sync end --\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003eCITGM team emeritus\u003c/summary\u003e\n\n* [@al-k21](https://github.com/al-k21) - Oleksandr Kushchak\n* [@bengl](https://github.com/bengl) - Bryan English\n* [@bzoz](https://github.com/bzoz) - Bartosz Sosnowski\n* [@gdams](https://github.com/gdams) - George Adams\n* [@gibfahn](https://github.com/gibfahn) - Gibson Fahnestock\n* [@jasnell](https://github.com/jasnell) - James M Snell\n\n\u003c/details\u003e\n\n## Contributors\n\n- as listed in \u003chttps://github.com/nodejs/citgm/blob/HEAD/AUTHORS\u003e\n","funding_links":["https://github.com/sponsors/nodejs","https://opencollective.com/nodejs"],"categories":["nodejs"],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnodejs%2Fcitgm","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fnodejs%2Fcitgm","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnodejs%2Fcitgm/lists"}