README
This commit is contained in:
Felix Pankratz
parent
f5c5db71ef
commit
ba1f7b2a02
48
README.md
Normal file
48
README.md
Normal file
@ -0,0 +1,48 @@
|
|||||||
|
# npm manifest confusion checker
|
||||||
|
|
||||||
|
A `python` script to check `npm` packages for manifest mismatches, [as reported by Darcy Clarke.](https://blog.vlt.sh/blog/the-massive-hole-in-the-npm-ecosystem)
|
||||||
|
|
||||||
|
## Usage
|
||||||
|
|
||||||
|
Install the requirements first:
|
||||||
|
|
||||||
|
```
|
||||||
|
pip install -r requirements.txt
|
||||||
|
```
|
||||||
|
|
||||||
|
### Single package
|
||||||
|
|
||||||
|
To check a single package, pass the name of a package to the script as the first argument. Here, I'm using the package Darcy has helpfully provided:
|
||||||
|
|
||||||
|
```
|
||||||
|
$ ./npm-manifest-check darcyclarke-manifest-pkg
|
||||||
|
Version mismatch for darcyclarke-manifest-pkg!
|
||||||
|
Reported version: 2.1.15
|
||||||
|
Actual version: 3.0.0
|
||||||
|
Dependency mismatch detected for darcyclarke-manifest-pkg!
|
||||||
|
Reported dependencies: {}
|
||||||
|
Actual dependencies: {'sleepover': '*'}
|
||||||
|
Scripts mismatch detected for darcyclarke-manifest-pkg!
|
||||||
|
Reported scripts: {}
|
||||||
|
Actual scripts: {'install': 'touch ./bad-pkg-write && echo "bad pkg exec!"\n'}
|
||||||
|
Name mismatch detected for darcyclarke-manifest-pkg!
|
||||||
|
Reported name: darcyclarke-manifest-pkg
|
||||||
|
Actual name: express
|
||||||
|
```
|
||||||
|
|
||||||
|
A 'good' package will look like this:
|
||||||
|
|
||||||
|
```
|
||||||
|
$ ./npm-manifest-check.py color
|
||||||
|
No mismatch detected for color.
|
||||||
|
```
|
||||||
|
|
||||||
|
### Multiple packages
|
||||||
|
|
||||||
|
`check_packages.sh` is a wrapper script which reads a list of packages to check from a `packages.list` file. Add the packages you want to check to this file, one package per line, and start the script:
|
||||||
|
|
||||||
|
```
|
||||||
|
./check_pages.sh
|
||||||
|
```
|
||||||
|
|
||||||
|
It will only report packages that have a mismatch.
|
||||||
@ -2,8 +2,8 @@
|
|||||||
import requests
|
import requests
|
||||||
import json
|
import json
|
||||||
|
|
||||||
# hex checksum = file name
|
|
||||||
# https://www.npmjs.com/package/darcyclarke-manifest-pkg/v/2.1.15/index
|
# https://www.npmjs.com/package/darcyclarke-manifest-pkg/v/2.1.15/index
|
||||||
|
# hex checksum = file name
|
||||||
# use hex to get *actual* manifest:
|
# use hex to get *actual* manifest:
|
||||||
# https://www.npmjs.com/package/darcyclarke-manifest-pkg/file/a1c6250cb3f94bb3487c1bfb673d279642208b5db39a6c052a5c764f0d1abea5
|
# https://www.npmjs.com/package/darcyclarke-manifest-pkg/file/a1c6250cb3f94bb3487c1bfb673d279642208b5db39a6c052a5c764f0d1abea5
|
||||||
|
|
||||||
@ -16,8 +16,14 @@ def parse_manifest(pkg):
|
|||||||
latest_ver = parsed['dist-tags']['latest']
|
latest_ver = parsed['dist-tags']['latest']
|
||||||
latest_manifest = parsed['versions'][latest_ver]
|
latest_manifest = parsed['versions'][latest_ver]
|
||||||
|
|
||||||
|
try:
|
||||||
dependencies = parsed['versions'][latest_ver]['dependencies']
|
dependencies = parsed['versions'][latest_ver]['dependencies']
|
||||||
|
except KeyError:
|
||||||
|
dependencies = None
|
||||||
|
try:
|
||||||
scripts = parsed['versions'][latest_ver]['scripts']
|
scripts = parsed['versions'][latest_ver]['scripts']
|
||||||
|
except KeyError:
|
||||||
|
scripts = None
|
||||||
name = parsed['versions'][latest_ver]['name']
|
name = parsed['versions'][latest_ver]['name']
|
||||||
|
|
||||||
return latest_ver, dependencies, scripts, name
|
return latest_ver, dependencies, scripts, name
|
||||||
@ -32,8 +38,14 @@ def get_actual_manifest(pkg, ver):
|
|||||||
|
|
||||||
manifest = json.loads(requests.get(manifest_url).text)
|
manifest = json.loads(requests.get(manifest_url).text)
|
||||||
version = manifest['version']
|
version = manifest['version']
|
||||||
|
try:
|
||||||
dependencies = manifest['dependencies']
|
dependencies = manifest['dependencies']
|
||||||
|
except KeyError:
|
||||||
|
dependencies = None
|
||||||
|
try:
|
||||||
scripts = manifest['scripts']
|
scripts = manifest['scripts']
|
||||||
|
except KeyError:
|
||||||
|
scripts = None
|
||||||
name = manifest['name']
|
name = manifest['name']
|
||||||
|
|
||||||
return version, dependencies, scripts, name
|
return version, dependencies, scripts, name
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user