From ba1f7b2a0210f5ac26912028c21429f45ec7c6f7 Mon Sep 17 00:00:00 2001 From: Felix Pankratz Date: Thu, 29 Jun 2023 15:23:58 +0200 Subject: [PATCH] README --- README.md | 48 +++++++++++++++++++++++++++++++++++++++++++ npm-manifest-check.py | 22 +++++++++++++++----- 2 files changed, 65 insertions(+), 5 deletions(-) create mode 100644 README.md diff --git a/README.md b/README.md new file mode 100644 index 0000000..519866c --- /dev/null +++ b/README.md @@ -0,0 +1,48 @@ +# npm manifest confusion checker + +A `python` script to check `npm` packages for manifest mismatches, [as reported by Darcy Clarke.](https://blog.vlt.sh/blog/the-massive-hole-in-the-npm-ecosystem) + +## Usage + +Install the requirements first: + +``` +pip install -r requirements.txt +``` + +### Single package + +To check a single package, pass the name of a package to the script as the first argument. Here, I'm using the package Darcy has helpfully provided: + +``` +$ ./npm-manifest-check darcyclarke-manifest-pkg +Version mismatch for darcyclarke-manifest-pkg! +Reported version: 2.1.15 +Actual version: 3.0.0 +Dependency mismatch detected for darcyclarke-manifest-pkg! +Reported dependencies: {} +Actual dependencies: {'sleepover': '*'} +Scripts mismatch detected for darcyclarke-manifest-pkg! +Reported scripts: {} +Actual scripts: {'install': 'touch ./bad-pkg-write && echo "bad pkg exec!"\n'} +Name mismatch detected for darcyclarke-manifest-pkg! +Reported name: darcyclarke-manifest-pkg +Actual name: express +``` + +A 'good' package will look like this: + +``` +$ ./npm-manifest-check.py color +No mismatch detected for color. +``` + +### Multiple packages + +`check_packages.sh` is a wrapper script which reads a list of packages to check from a `packages.list` file. Add the packages you want to check to this file, one package per line, and start the script: + +``` +./check_pages.sh +``` + +It will only report packages that have a mismatch. diff --git a/npm-manifest-check.py b/npm-manifest-check.py index 42fbd5b..c0b1cbb 100755 --- a/npm-manifest-check.py +++ b/npm-manifest-check.py @@ -2,8 +2,8 @@ import requests import json -# hex checksum = file name # https://www.npmjs.com/package/darcyclarke-manifest-pkg/v/2.1.15/index +# hex checksum = file name # use hex to get *actual* manifest: # https://www.npmjs.com/package/darcyclarke-manifest-pkg/file/a1c6250cb3f94bb3487c1bfb673d279642208b5db39a6c052a5c764f0d1abea5 @@ -16,8 +16,14 @@ def parse_manifest(pkg): latest_ver = parsed['dist-tags']['latest'] latest_manifest = parsed['versions'][latest_ver] - dependencies = parsed['versions'][latest_ver]['dependencies'] - scripts = parsed['versions'][latest_ver]['scripts'] + try: + dependencies = parsed['versions'][latest_ver]['dependencies'] + except KeyError: + dependencies = None + try: + scripts = parsed['versions'][latest_ver]['scripts'] + except KeyError: + scripts = None name = parsed['versions'][latest_ver]['name'] return latest_ver, dependencies, scripts, name @@ -32,8 +38,14 @@ def get_actual_manifest(pkg, ver): manifest = json.loads(requests.get(manifest_url).text) version = manifest['version'] - dependencies = manifest['dependencies'] - scripts = manifest['scripts'] + try: + dependencies = manifest['dependencies'] + except KeyError: + dependencies = None + try: + scripts = manifest['scripts'] + except KeyError: + scripts = None name = manifest['name'] return version, dependencies, scripts, name