https://github.com/multiocular-com/multiocular
ꙮ Review dependencies changes to prevent supply chain attack
https://github.com/multiocular-com/multiocular
Last synced: 6 months ago
JSON representation
ꙮ Review dependencies changes to prevent supply chain attack
- Host: GitHub
- URL: https://github.com/multiocular-com/multiocular
- Owner: multiocular-com
- License: mit
- Created: 2025-08-20T12:47:30.000Z (8 months ago)
- Default Branch: main
- Last Pushed: 2025-09-16T19:27:08.000Z (7 months ago)
- Last Synced: 2025-09-19T02:24:28.236Z (7 months ago)
- Language: TypeScript
- Homepage:
- Size: 912 KB
- Stars: 162
- Watchers: 0
- Forks: 2
- Open Issues: 27
-
Metadata Files:
- Readme: README.md
- Changelog: CHANGELOG.md
- Funding: .github/FUNDING.yml
- License: LICENSE
- Code of conduct: docs/CODE_OF_CONDUCT.md
- Security: docs/SECURITY.md
- Agents: AGENTS.md
Awesome Lists containing this project
- awesome-e18e - multiocular - Review dependency changes. (Utilities / Project Tools)
README
# ꙮ Multiocular
A Node.js tool to **review dependencies** changes to:
- Prevent **supply chain attack**.
- Catch **API breaking changes**.
- **Learn** from your dependencies.
In general, it adds **open dependencies** practice to your project and stop treating node_modules as a black box.
It supports: `npm`, `pnpm`, `yarn 1`, `yarn berry`, GitHub Actions.
---
Built by
Evil Martians, go-to agency for developer tools.
---
## Usage
First, reduce risk of exposing system to malware during the update.
Disable `postinstall` for npm:
```sh
npm config set ignore-scripts true
# We also recommend switching to pnpm where postinstall is disabled by default
```
It is also recommended of using [Dev Container](https://code.visualstudio.com/docs/devcontainers/containers) or at least run shell in container.
Install Multiocular:
```sh
npm install multiocular
# pnpm install multiocular
```
Update dependencies
```sh
# For npm
npx npm-check-updates
npm update
# For pnpm
pnpm update-interactive --latest
pnpm update
# For GitHub Actions
npx actions-up
```
Start web UI to review changes:
```sh
npx multiocular
```
If you have GitHub API limit, define `GITHUB_TOKEN` environment variable with [personal token](https://github.com/settings/personal-access-tokens/new) with access to public repositories.
## Motivation
Current practice of treating dependencies and free **black boxes** is creating a lot of issues in our industries.
For instance, **Supply chain attack** when malware added to dependencies by stealing maintainer account. Recent, [`chalk`/`debug`](https://www.aikido.dev/blog/npm-debug-and-chalk-packages-compromised), [`nx`](https://www.aikido.dev/blog/popular-nx-packages-compromised-on-npm), and [GitHub Actions](https://www.wiz.io/blog/github-action-tj-actions-changed-files-supply-chain-attack-cve-2025-30066) examples are showing that it is just beginning.
We suggest another **open dependencies** model, when team should track dependencies. It means less dependencies and more attention to it. But this is the only solution we see.