https://github.com/naugtur/secure-dependencies
Creates a tarball of your app dependencies checked with node security platform
https://github.com/naugtur/secure-dependencies
Last synced: 7 months ago
JSON representation
Creates a tarball of your app dependencies checked with node security platform
- Host: GitHub
- URL: https://github.com/naugtur/secure-dependencies
- Owner: naugtur
- License: apache-2.0
- Created: 2016-07-29T08:45:32.000Z (about 9 years ago)
- Default Branch: master
- Last Pushed: 2018-11-16T07:08:43.000Z (almost 7 years ago)
- Last Synced: 2025-02-28T23:10:34.571Z (7 months ago)
- Language: JavaScript
- Homepage:
- Size: 24.4 KB
- Stars: 8
- Watchers: 3
- Forks: 1
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
- Audit: audit-resolv.json
Awesome Lists containing this project
README
# secure-dependencies
*Never run npm install in production again!*
Creates a tarball of your app dependencies checked with npm audit. Just unpack it in production and you're ready to go.
## Why
- Even with shrinkwrap, you cannot be sure `npm install` in production will always deliver what you need
- Running `npm install` is a defacto remote code execution vulnerability
- Not convinced? Read this https://twitter.com/o_cee/status/892306836199800836 or this https://ponyfoo.com/articles/npm-meltdown-security-concerns
- If you keep node_modules in repo and run `npm rebuild` you still run postinstall scripts - effectively bash commands with your user credentials and access to sudo. You can turn them off, but then some binaries will not build correctly.
- Also, `npm install` takes more time than `scp | untar`
## Usage
```
npx -p secure-dependencies secure-dependencies
```
`{appname}-{nodeVersion}-{appVersion}.tgz` is produced with all production dependencies unless `nsp check` complains.
*Become left-pad proof!*
### Node support
This library could support versions 0.x but it doesn't. Consider this another reason to finally upgrade.
While it might work, the version of node in filename will be `0`. Trivial to fix, but I believe I should not.
### shrinkwrap
secure-dependencies will follow npm-shrinkwrap.json but if you want to use it for production and not locally, you can rename it to npm-shrinkwrap-production.json and it will work for installing the module for the bundle.
## What does it do?
In summary:
```
npm install --production
npm prune
npm dedupe
npm audit (via npm-audit-resolver)
tar
```
But don't trust me with your security, read the code!
## Try it out
```
cd exampleapp
npm install
npm start
```
exampleapp-node6-1.0.0.tgz is created
## Get bundle name
If you're scripting your deployment with configuration managers (or bash) it's often annoying to deal with parsing package.json
secure-dependencies exposes a tiny script that generates the filename. You can use it to figure out what the bundle name is based on package.json in current directory
```
npx -p secure-dependencies get-bundle-name
```
or
```
npm install -g secure-dependencies
get-bundle-name
```
# TODO
add paranoid mode
add scp as artifact repository
# Apache-2.0 License