{"id":23494459,"url":"https://github.com/nodejs/is-my-node-vulnerable","last_synced_at":"2025-12-15T21:41:30.954Z","repository":{"id":65512678,"uuid":"591443636","full_name":"nodejs/is-my-node-vulnerable","owner":"nodejs","description":"package that checks if your Node.js installation is vulnerable to known security vulnerabilities","archived":false,"fork":false,"pushed_at":"2025-01-21T20:12:07.000Z","size":509,"stargazers_count":282,"open_issues_count":3,"forks_count":8,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-04-05T21:11:24.067Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/nodejs.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2023-01-20T19:17:53.000Z","updated_at":"2025-04-04T02:17:04.000Z","dependencies_parsed_at":"2023-10-16T12:46:03.191Z","dependency_job_id":"13963bfd-22bd-4429-8f63-e52362f366a1","html_url":"https://github.com/nodejs/is-my-node-vulnerable","commit_stats":{"total_commits":76,"total_committers":6,"mean_commits":"12.666666666666666","dds":0.3026315789473685,"last_synced_commit":"5b8f420f134c9211a4d5cd98d871b92cef46e316"},"previous_names":["nodejs/is-my-node-vulnerable"],"tags_count":15,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nodejs%2Fis-my-node-vulnerable","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nodejs%2Fis-my-node-vulnerable/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nodejs%2Fis-my-node-vulnerable/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nodejs%2Fis-my-node-vulnerable/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/nodejs","download_url":"https://codeload.github.com/nodejs/is-my-node-vulnerable/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248571843,"owners_count":21126523,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-12-25T03:03:05.375Z","updated_at":"2025-12-15T21:41:30.866Z","avatar_url":"https://github.com/nodejs.png","language":"JavaScript","readme":"# is-my-node-vulnerable\n\nThis package helps ensure the security of your Node.js installation by checking for known vulnerabilities.\nIt compares the version of Node.js you have installed (`process.version`) to the [Node.js Security Database][]\nand alerts you if a vulnerability is found.\n\n## Usage\n\n```\nnpx is-my-node-vulnerable\n```\n\nIt's strongly recommended to include this as a step in the app CI.\n\n\u003e [!NOTE]\n\u003e For retro-compatibility enthusiasts: This module supports Node.js versions \u003e= v0.12.\n\u003e However, npx does not work with those older versions, so you'll need to install the\n\u003e package and run index.js manually. If you encounter errors when using npx, it's\n\u003e likely because you're using a vulnerable version of Node.js. Please consider upgrading.\n\n### Output - When vulnerable\n\n\n```console\n$ node -v\nv20.3.0\n$ npx is-my-node-vulnerable\n\n\n██████   █████  ███    ██  ██████  ███████ ██████\n██   ██ ██   ██ ████   ██ ██       ██      ██   ██\n██   ██ ███████ ██ ██  ██ ██   ███ █████   ██████\n██   ██ ██   ██ ██  ██ ██ ██    ██ ██      ██   ██\n██████  ██   ██ ██   ████  ██████  ███████ ██   ██\n\n\nThe current Node.js version (v20.3.0) is vulnerable to the following CVEs:\n\nCVE-2023-30581: The use of proto in process.mainModule.proto.require() can bypass the policy mechanism and require modules outside of the policy.json definition\nPatched versions: ^16.20.1 || ^18.16.1 || ^20.3.1\n==================================================================================================================================================================================\n```\n\n### Output - When non-vulnerable\n\n```console\n$ node -v\nv20.17.0\n$ npx is-my-node-vulnerable\n\n\n █████  ██      ██           ██████   ██████   ██████  ██████         ██\n██   ██ ██      ██          ██       ██    ██ ██    ██ ██   ██     ██  ██\n███████ ██      ██          ██   ███ ██    ██ ██    ██ ██   ██         ██\n██   ██ ██      ██          ██    ██ ██    ██ ██    ██ ██   ██     ██  ██\n██   ██ ███████ ███████      ██████   ██████   ██████  ██████         ██\n\n```\n\n### Output - when end of life\n\n```console\n$ node -v\nv15.14.0\n$ npx is-my-node-vulnerable\n██████   █████  ███    ██  ██████  ███████ ██████\n██   ██ ██   ██ ████   ██ ██       ██      ██   ██\n██   ██ ███████ ██ ██  ██ ██   ███ █████   ██████\n██   ██ ██   ██ ██  ██ ██ ██    ██ ██      ██   ██\n██████  ██   ██ ██   ████  ██████  ███████ ██   ██\n\n\nv15.14.0 is end-of-life. There are high chances of being vulnerable. Please upgrade it.\n```\n\nEnd-of-Life versions don't keep track of recent security releases, therefore, it's considered vulnerable by default.\n\n## API\n\nThis package also exports a function `isNodeVulnerable` to perform the check in runtime\n\n\u003e [!NOTE]\n\u003e The API is only supported on active Node.js versions (v18.x, v20.x, v22.x, v23.x)\n\n```js\nconst { isNodeVulnerable } = require('is-my-node-vulnerable')\n\nisNodeVulnerable('19.0.0') // true\n```\n\nOptionally you can define the platform with the argument `platform` to limit the scope. The available platforms are [the same values](https://nodejs.org/api/os.html#osplatform) available in for `os.platform()`.\n\n```js\nconst { isNodeVulnerable } = require('is-my-node-vulnerable')\n\nisNodeVulnerable('19.0.0', 'linux') // true\n```\n\n[Node.js Security Database]: https://github.com/nodejs/security-wg/tree/main/vuln\n\n\n## Github Action\n\nThis package also provides a GitHub Action, just include the `node-version` in the yml as follows in order to check a specific version:\n\n```yml\nname: \"Node.js Vulnerabilities\"\non: \n  schedule:\n    - cron: \"0 0 * * *\"\n\njobs:\n  is-my-node-vulnerable:\n    runs-on: ubuntu-latest\n    steps:\n      - uses: actions/checkout@v3\n      - name: Check Node.js\n        uses: nodejs/is-my-node-vulnerable@v1\n        with:\n          node-version: \"18.14.1\"\n```\n\nOptionally you can define the platform with the argument `platform` to limit the scope. The available platforms are [the same values](https://nodejs.org/api/os.html#osplatform) available in for `os.platform()`.\n\n```yml\n      - uses: actions/checkout@v3\n      - name: Check Node.js\n        uses: nodejs/is-my-node-vulnerable@v1\n        with:\n          node-version: \"18.14.1\"\n          platform: \"linux\"\n```\n","funding_links":[],"categories":["JavaScript"],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnodejs%2Fis-my-node-vulnerable","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fnodejs%2Fis-my-node-vulnerable","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnodejs%2Fis-my-node-vulnerable/lists"}