multiocular
v0.8.2
Review dependencies changes to prevent supply chain attack
0/weekUpdated 1 months agoMITUnpacked: 1.5 MB
Published by Andrey Sitnik
npm install multiocularꙮ Multiocular
A Node.js tool to review dependencies changes to:
- Prevent supply chain attack.
- Catch API breaking changes.
- Learn from your dependencies.
In general, it adds open dependencies practice to your project and stop treating node_modules as a black box.
It supports: npm, pnpm, yarn 1, yarn berry, GitHub Actions.
---
Built by
Evil Martians, go-to agency for developer tools.
---
Usage
First, reduce risk of exposing system to malware during the update.
Disable postinstall for npm:
``sh`
npm config set ignore-scripts trueWe also recommend switching to pnpm where postinstall is disabled by default
It is also recommended of using Dev Container or at least run shell in container.
Install Multiocular:
`sh`
npm install multiocularpnpm install multiocular
Update dependencies
`shFor npm
npx npm-check-updates
npm update
For pnpm
pnpm update-interactive --latest
pnpm update
For GitHub Actions
npx actions-up
`
Start web UI to review changes:
sh
npx multiocular
`If you have GitHub API limit, define
environment variable with personal token with access to public repositories.Motivation
Current practice of treating dependencies and free black boxes is creating a lot of issues in our industries.
For instance, Supply chain attack when malware added to dependencies by stealing maintainer account. Recent,
chalk/debug, nx`, and GitHub Actions examples are showing that it is just beginning.We suggest another open dependencies model, when team should track dependencies. It means less dependencies and more attention to it. But this is the only solution we see.