capabilities is a Node.js package that allows the whitelisting (blacklist by default)
of various functionality, including built-in module access, parent module privacy (hiding
information about the overall application), and behavior auditing.

Capabilities are granted on a per-package basis, allowing packages to 'request' capabilities
directly from withing their package.json manifests.

Installation

``console
$ npm install capabilities
`

Usage

capabilities should only be used via node -r. Other forms of inclusion will result in an error.

`console
$ node -r capabilities /path/to/program.js
`

Caveats

First, some caveats:

- We don't filter syscalls, check file permissions, or containerize anything.
capabilities is meant to get a handle on the acceptable and expected behaviors
of your dependencies - anything else is out of scope.
- Preload modules (those included via node -r) are not covered by capabilities
and thus have free reign over the execution context. Be aware of this and make sure
you trust what you're loading.
- The lack console.*` capabilities do not cause code to throw if they use the console.
The output is instead silently ignored.

Configuration

> TODO

Responsible Disclosures

If you have found a security-related bug or vulnerability, please do not open an issue on Github.

Instead, please message @qix on spectrum.chat so we can discuss the
details.

License

Copyright © 2018-2019 by Josh Junon. Released under the MIT License.