panki
/
npm-manifest-check
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

README

Browse Source
master
Felix Pankratz 1 year ago
parent f5c5db71ef
commit ba1f7b2a02
2 changed files with 65 additions and 5 deletions
Show Stats Download Patch File Download Diff File

48
README.md
Unescape Escape View File

@ -0,0 +1,48 @@
# npm manifest confusion checker
A `python` script to check `npm` packages for manifest mismatches, [as reported by Darcy Clarke.](https://blog.vlt.sh/blog/the-massive-hole-in-the-npm-ecosystem)
## Usage
Install the requirements first:
```
pip install -r requirements.txt
```
### Single package
To check a single package, pass the name of a package to the script as the first argument. Here, I'm using the package Darcy has helpfully provided:
```
$ ./npm-manifest-check darcyclarke-manifest-pkg
Version mismatch for darcyclarke-manifest-pkg!
Reported version: 2.1.15
Actual version: 3.0.0
Dependency mismatch detected for darcyclarke-manifest-pkg!
Reported dependencies: {}
Actual dependencies: {'sleepover': '*'}
Scripts mismatch detected for darcyclarke-manifest-pkg!
Reported scripts: {}
Actual scripts: {'install': 'touch ./bad-pkg-write && echo "bad pkg exec!"\n'}
Name mismatch detected for darcyclarke-manifest-pkg!
Reported name: darcyclarke-manifest-pkg
Actual name: express
```
A 'good' package will look like this:
```
$ ./npm-manifest-check.py color
No mismatch detected for color.
```
### Multiple packages
`check_packages.sh` is a wrapper script which reads a list of packages to check from a `packages.list` file. Add the packages you want to check to this file, one package per line, and start the script:
```
./check_pages.sh
```
It will only report packages that have a mismatch.

14
npm-manifest-check.py
Unescape Escape View File

@ -2,8 +2,8 @@
import requests import requests
import json import json
# hex checksum = file name
# https://www.npmjs.com/package/darcyclarke-manifest-pkg/v/2.1.15/index # https://www.npmjs.com/package/darcyclarke-manifest-pkg/v/2.1.15/index
# hex checksum = file name
# use hex to get *actual* manifest: # use hex to get *actual* manifest:
# https://www.npmjs.com/package/darcyclarke-manifest-pkg/file/a1c6250cb3f94bb3487c1bfb673d279642208b5db39a6c052a5c764f0d1abea5 # https://www.npmjs.com/package/darcyclarke-manifest-pkg/file/a1c6250cb3f94bb3487c1bfb673d279642208b5db39a6c052a5c764f0d1abea5
@ -16,8 +16,14 @@ def parse_manifest(pkg):
latest_ver = parsed['dist-tags']['latest'] latest_ver = parsed['dist-tags']['latest']
latest_manifest = parsed['versions'][latest_ver] latest_manifest = parsed['versions'][latest_ver]
try:
dependencies = parsed['versions'][latest_ver]['dependencies'] dependencies = parsed['versions'][latest_ver]['dependencies']
except KeyError:
dependencies = None
try:
scripts = parsed['versions'][latest_ver]['scripts'] scripts = parsed['versions'][latest_ver]['scripts']
except KeyError:
scripts = None
name = parsed['versions'][latest_ver]['name'] name = parsed['versions'][latest_ver]['name']
return latest_ver, dependencies, scripts, name return latest_ver, dependencies, scripts, name
@ -32,8 +38,14 @@ def get_actual_manifest(pkg, ver):
manifest = json.loads(requests.get(manifest_url).text) manifest = json.loads(requests.get(manifest_url).text)
version = manifest['version'] version = manifest['version']
try:
dependencies = manifest['dependencies'] dependencies = manifest['dependencies']
except KeyError:
dependencies = None
try:
scripts = manifest['scripts'] scripts = manifest['scripts']
except KeyError:
scripts = None
name = manifest['name'] name = manifest['name']
return version, dependencies, scripts, name return version, dependencies, scripts, name

Write Preview
Loading…
Cancel
Save