{"id":13530615,"url":"https://github.com/snyk-labs/snync","last_synced_at":"2026-01-12T01:55:44.372Z","repository":{"id":41186903,"uuid":"368465729","full_name":"snyk-labs/snync","owner":"snyk-labs","description":"Mitigate security concerns of Dependency Confusion supply chain security risks","archived":false,"fork":false,"pushed_at":"2025-06-28T06:26:48.000Z","size":2035,"stargazers_count":49,"open_issues_count":7,"forks_count":9,"subscribers_count":4,"default_branch":"main","last_synced_at":"2025-08-30T14:14:51.765Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/snyk-labs.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":".github/CODEOWNERS","security":"SECURITY.md","support":null}},"created_at":"2021-05-18T09:03:13.000Z","updated_at":"2025-08-07T03:52:37.000Z","dependencies_parsed_at":"2022-07-14T10:21:34.788Z","dependency_job_id":null,"html_url":"https://github.com/snyk-labs/snync","commit_stats":null,"previous_names":[],"tags_count":12,"template":false,"template_full_name":null,"purl":"pkg:github/snyk-labs/snync","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/snyk-labs%2Fsnync","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/snyk-labs%2Fsnync/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/snyk-labs%2Fsnync/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/snyk-labs%2Fsnync/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/snyk-labs","download_url":"https://codeload.github.com/snyk-labs/snync/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/snyk-labs%2Fsnync/sbom","scorecard":{"id":835232,"data":{"date":"2025-08-11","repo":{"name":"github.com/snyk-labs/snync","commit":"8361c23556d126d7bd369ac107173176ed379cec"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":3.3,"checks":[{"name":"Maintained","score":0,"reason":"0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"Security-Policy","score":10,"reason":"security policy file detected","details":["Info: security policy file detected: SECURITY.md:1","Info: Found linked content: SECURITY.md:1","Info: Found disclosure, vulnerability, and/or timelines in security policy: SECURITY.md:1","Info: Found text in security policy: SECURITY.md:1"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"Token-Permissions","score":0,"reason":"detected GitHub workflow tokens with excessive permissions","details":["Warn: no topLevel permission defined: .github/workflows/main.yml:1","Info: no jobLevel write permissions found"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"Code-Review","score":2,"reason":"Found 8/27 approved changesets -- score normalized to 2","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Pinned-Dependencies","score":1,"reason":"dependency not pinned by hash detected -- score normalized to 1","details":["Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/main.yml:10: update your workflow using https://app.stepsecurity.io/secureworkflow/snyk-labs/snync/main.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/main.yml:11: update your workflow using https://app.stepsecurity.io/secureworkflow/snyk-labs/snync/main.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/main.yml:27: update your workflow using https://app.stepsecurity.io/secureworkflow/snyk-labs/snync/main.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/main.yml:28: update your workflow using https://app.stepsecurity.io/secureworkflow/snyk-labs/snync/main.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/main.yml:42: update your workflow using https://app.stepsecurity.io/secureworkflow/snyk-labs/snync/main.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/main.yml:43: update your workflow using https://app.stepsecurity.io/secureworkflow/snyk-labs/snync/main.yml/main?enable=pin","Info:   0 out of   6 GitHub-owned GitHubAction dependencies pinned","Info:   1 out of   1 npmCommand dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"License","score":9,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Warn: project license file does not contain an FSF or OSI license."],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"Signed-Releases","score":-1,"reason":"no releases found","details":null,"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Branch-Protection","score":0,"reason":"branch protection not enabled on development/release branches","details":["Warn: branch protection not enabled for branch 'main'"],"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"SAST","score":0,"reason":"SAST tool is not run on all commits -- score normalized to 0","details":["Warn: 0 commits out of 16 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}},{"name":"Vulnerabilities","score":0,"reason":"52 existing vulnerabilities detected","details":["Warn: Project is vulnerable to: GHSA-968p-4wvh-cqc8","Warn: Project is vulnerable to: GHSA-67hx-6x53-jw92","Warn: Project is vulnerable to: GHSA-2h3h-q99f-3fhc","Warn: Project is vulnerable to: GHSA-gmw6-94gg-2rc2","Warn: Project is vulnerable to: GHSA-h5c3-5r3r-rr8q","Warn: Project is vulnerable to: GHSA-rmvr-2pp2-xj38","Warn: Project is vulnerable to: GHSA-xx4v-prfh-6cgc","Warn: Project is vulnerable to: GHSA-93q8-gq69-wqmw","Warn: Project is vulnerable to: GHSA-v6h2-p8h4-qcjw","Warn: Project is vulnerable to: GHSA-grv7-fg5c-xmjg","Warn: Project is vulnerable to: GHSA-3xgq-45jj-v275","Warn: Project is vulnerable to: GHSA-mhxj-85r3-2x55","Warn: Project is vulnerable to: GHSA-fjxv-7rqg-78g4","Warn: Project is vulnerable to: GHSA-rc47-6667-2j5j","Warn: Project is vulnerable to: GHSA-78xj-cgh5-2h22","Warn: Project is vulnerable to: GHSA-2p57-rm9w-gvfp","Warn: Project is vulnerable to: GHSA-896r-f27r-55mw","Warn: Project is vulnerable to: GHSA-9c47-m6qq-7p4h","Warn: Project is vulnerable to: GHSA-7cfr-5cjf-32p4","Warn: Project is vulnerable to: GHSA-jf85-cpcp-j695","Warn: Project is vulnerable to: GHSA-p6mc-m468-83gw","Warn: Project is vulnerable to: GHSA-29mw-wpgm-hmr9","Warn: Project is vulnerable to: GHSA-35jh-r3h4-6jhm","Warn: Project is vulnerable to: GHSA-952p-6rrq-rcjv","Warn: Project is vulnerable to: GHSA-f8q6-p94x-37v3","Warn: Project is vulnerable to: GHSA-xvch-5gv4-984h","Warn: Project is vulnerable to: GHSA-r683-j2x4-v87g","Warn: Project is vulnerable to: GHSA-px4h-xg32-q955","Warn: Project is vulnerable to: GHSA-hj9c-8jmm-8c52","Warn: Project is vulnerable to: GHSA-hj48-42vr-x3v9","Warn: Project is vulnerable to: GHSA-hrpp-h998-j3pp","Warn: Project is vulnerable to: GHSA-p8p7-x288-28g6","Warn: Project is vulnerable to: GHSA-c2qf-rxjj-qqgw","Warn: Project is vulnerable to: GHSA-3jfq-g458-7qm9","Warn: Project is vulnerable to: GHSA-r628-mhmh-qjhw","Warn: Project is vulnerable to: GHSA-9r2w-394v-53qc","Warn: Project is vulnerable to: GHSA-5955-9wpr-37jh","Warn: Project is vulnerable to: GHSA-qq89-hq3f-393p","Warn: Project is vulnerable to: GHSA-f5x3-32g6-xq36","Warn: Project is vulnerable to: GHSA-52f5-9888-hmc6","Warn: Project is vulnerable to: GHSA-72xf-g2v4-qvf3","Warn: Project is vulnerable to: GHSA-7p7h-4mm5-852v","Warn: Project is vulnerable to: GHSA-38fc-wpqx-33j7","Warn: Project is vulnerable to: GHSA-5r9g-qh6m-jxff","Warn: Project is vulnerable to: GHSA-r6ch-mqf9-qc9w","Warn: Project is vulnerable to: GHSA-wqq4-5wpv-mx2g","Warn: Project is vulnerable to: GHSA-3787-6prv-h9w3","Warn: Project is vulnerable to: GHSA-9qxr-qj54-h672","Warn: Project is vulnerable to: GHSA-m4v8-wqvr-p9f7","Warn: Project is vulnerable to: GHSA-c76h-2ccp-4975","Warn: Project is vulnerable to: GHSA-cxrh-j4jr-qwg3","Warn: Project is vulnerable to: GHSA-j8xg-fqg3-53r7"],"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}}]},"last_synced_at":"2025-08-23T18:50:17.933Z","repository_id":41186903,"created_at":"2025-08-23T18:50:17.933Z","updated_at":"2025-08-23T18:50:17.933Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28331321,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-12T00:36:25.062Z","status":"ssl_error","status_checked_at":"2026-01-12T00:36:15.229Z","response_time":60,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-01T07:00:52.499Z","updated_at":"2026-01-12T01:55:44.357Z","avatar_url":"https://github.com/snyk-labs.png","language":"JavaScript","funding_links":[],"categories":["Point-of-use validations","DevSecOps","Security Hardening"],"sub_categories":["Vulnerability information exchange","Dependency confusion"],"readme":"\n\u003cp align=\"center\"\u003e\u003ch1 align=\"center\"\u003e\n  snync\n\u003c/h1\u003e\n\n\u003cp align=\"center\"\u003e\n  Mitigate security concerns of Dependency Confusion supply chain security risks\n\u003c/p\u003e\n\n\u003cp align=\"center\"\u003e\n  \u003ca href=\"https://www.npmjs.org/package/snync\"\u003e\u003cimg src=\"https://badgen.net/npm/v/snync\" alt=\"npm version\"/\u003e\u003c/a\u003e\n  \u003ca href=\"https://www.npmjs.org/package/snync\"\u003e\u003cimg src=\"https://badgen.net/npm/license/snync\" alt=\"license\"/\u003e\u003c/a\u003e\n  \u003ca href=\"https://www.npmjs.org/package/snync\"\u003e\u003cimg src=\"https://badgen.net/npm/dt/snync\" alt=\"downloads\"/\u003e\u003c/a\u003e\n  \u003ca href=\"https://github.com/snyk-labs/snync/actions?workflow=CI\"\u003e\u003cimg src=\"https://github.com/snyk-labs/snync/workflows/CI/badge.svg\" alt=\"build\"/\u003e\u003c/a\u003e\n  \u003ca href=\"https://snyk.io/test/github/snyk-labs/snync\"\u003e\u003cimg src=\"https://snyk.io/test/github/snyk-labs/snync/badge.svg\" alt=\"Known Vulnerabilities\"/\u003e\u003c/a\u003e\n  \u003ca href=\"./SECURITY.md\"\u003e\u003cimg src=\"https://img.shields.io/badge/Security-Responsible%20Disclosure-yellow.svg\" alt=\"Responsible Disclosure Policy\" /\u003e\u003c/a\u003e\n\u003c/p\u003e\n\n# About\n\nPrevent and detect if you're vulnerable to Dependency Confusion supply chain security attacks \n\n# Intro\n\nWhen you manage private open source packages, for reasons such as keeping intellectual property private, then these packages will be hosted and served via private registries, or require authorization. By definition, these packages won't exist on public registries. However, when a package name is used without a reserved namespace (also known as a scope in npm, for example), they are often free to be registered by any other user on the Internet and create a potential Dependency Confusion attack vector. The attack manifests due to a mix of user misconfiguration, and bad design of package managers, which will cause the download of the package from the public registry, instead of the private registry.\n\n# How does it work?\n\nThis tool detects two types of potential Dependency Confusion compromises:\n1. Vulnerable\n2. Suspicious\n\n## Vulnerable\n\nA case of actual **vulnerable** package is when a package name is detected to be used in a project, but the same package name is not registered on the public registry.\n\nYou can easily simulate a real world example of this case in an npm project:\n1. Edit the package.json file\n2. Add to the `dependencies` key a new entry: `\"snyk-private-internal-logic\": \"1.0.0\"` and save the file (this assumes the package name `snyk-private-internal-logic` is not registered on npmjs.org).\n3. Commit the file to the repository\n4. Run `snync` to detect it.\n\nWhen a package is detected as **vulnerable**, it is our recommendation to immediately reserve the name on the public registry.\n\n## Suspicious\n\nWhat happens if the private package name that you use is already registered on the public registry as a functional and unrelated package by someone else? In this case, you don't own the public package, but someone else does. Theoretically, this might not look as a problem because in a dependency confusion case the worst thing that can happen is the wrong package to be installed. However, that diminishes the potential threat model where a package can be hijacked and replaced by malicious versions of it, especially in cases of low-downloaded and unmaintained packages.\n\nWe've seen cases of package hijacking and maintainer accounts compromises in past supply chain security incidents such as `event-stream`, `mailparser`, and `eslint-config` as some examples of highly downloaded packages, and very active maintainers, yet still resulting in package compromises.\n\nWhen a pakcage is detected as **suspicious**, it is our recommendation to immediately move to a new package naming and reserve that new name on the public registry.\n\n## Logic flow\n\nHow does snync work from decision tree perspective?\n\n```\n1. Get \"all dependencies\" in `package.json` (note, refers to direct dependencies only, not transitive)\n   ['dependencies'] and ['devDependencies]\n2. If a package includes a scope (such as prefixed with a `@snyk/`)\n    then remove it from the \"all dependencies\" list and save it for later, to warn the user to ensure they own that scope\n3. Foreach of the \"all dependencies\" gathered, get the time it was introduced to the source-code (i.e. the time it was added to `package.json`)\n4. Foreach of the \"all dependencies\" gathered, get the time it was created in the npmjs registry\n5. Compare the two timestamps\n  5.1. if a package is not found in the registry then signal an error to let them know that this public namespace is not taken, and is vulnerable for someone to employ a Dependency Confusion on them.\n  5.2. if a package is found in the registry, and it was created after the time it was introduced to source-code, then signal a warning that there is potentially an attack in progress and to warn the user to review the premise and legitimacy of that package that exits in the public registry.\n```\n\n## Supported ecosystems\n\n| Ecosystem     | Supported \n| ------------- | ------------- \n| npm           | ✅  \n| pypi          |   \n\n# Install\n\n## Prerequisite\n\nTo use this tool, it is expected that you have the following available in your environment:\n1. Node.js and npm in stable and recent versions\n2. The Git binary available in your path\n\n```sh\nnpm install -g snync\n```\n\n# Usage\n\nTo scan a project's dependencies and test if you're vulnerable to Dependency Confusion security issues, where the project's git repository is cloned at `/home/user/my-app`:\n\n```sh\nnpx snync --directory /home/user/my-app\n```\n\n# Implementation details\n\nTo get a list of dependencies we parse a project's manifest (`package.json`) from the root of the directory you specify as a first argument.\n\nThen we fetch from the public NPM registry to check when each dependency was created. At this point we can check if dependency is **vulnerable** – if it is not in the public NPM registry.\n\nTo check if dependency is **suspicious** we compare date it was first introduced to a project's manifest and date it was published. To understand when you added a dependency to a manifest we scan git commits history. \n\n# FAQ\n\nQ. Why is it called _snync_?\nA. _snync_ is abbreviation for _So Now You're Not Confused_, which is a play on Snyk's _So Now You Know_.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsnyk-labs%2Fsnync","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsnyk-labs%2Fsnync","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsnyk-labs%2Fsnync/lists"}