You cannot select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
66 lines
1.9 KiB
Markdown
66 lines
1.9 KiB
Markdown
# npm manifest confusion checker
|
|
|
|
A `python` script to check `npm` packages for manifest mismatches, [as reported by Darcy Clarke.](https://blog.vlt.sh/blog/the-massive-hole-in-the-npm-ecosystem) Can also check all the dependencies of a package recursively.
|
|
|
|
## Usage
|
|
|
|
Install the requirements first:
|
|
|
|
```
|
|
pip install -r requirements.txt
|
|
```
|
|
|
|
Check the help:
|
|
|
|
```
|
|
./npm-manifest-check.py -h
|
|
usage: npm-manifest-check [-h] [-b] package
|
|
|
|
Check NPM packages for manifest mismatches
|
|
|
|
positional arguments:
|
|
package name of the NPM package
|
|
|
|
optional arguments:
|
|
-h, --help show this help message and exit
|
|
-r, --recursive recursively check all dependencies for mismatches
|
|
-b, --brief do not show detailed comparisons of mismatching values
|
|
-c, --color colorize the output
|
|
```
|
|
|
|
### Single package
|
|
|
|
To check a single package, pass the name of a package to the script as the first argument. Here, I'm using the package Darcy has helpfully provided:
|
|
|
|
```
|
|
$ ./npm-manifest-check.py darcyclarke-manifest-pkg
|
|
Version mismatch for darcyclarke-manifest-pkg!
|
|
Reported version: 2.1.15
|
|
Actual version: 3.0.0
|
|
Dependency mismatch detected for darcyclarke-manifest-pkg!
|
|
{'dictionary_item_added': {"root['sleepover']": '*'}}
|
|
Scripts mismatch detected for darcyclarke-manifest-pkg!
|
|
{ 'dictionary_item_added': { "root['install']": 'touch ./bad-pkg-write && echo '
|
|
'"bad pkg exec!"\n'}}
|
|
Name mismatch detected for darcyclarke-manifest-pkg!
|
|
Reported name: darcyclarke-manifest-pkg
|
|
Actual name: express
|
|
```
|
|
|
|
A 'good' package will look like this:
|
|
|
|
```
|
|
$ ./npm-manifest-check.py color
|
|
No mismatch detected for color.
|
|
```
|
|
|
|
### Multiple packages
|
|
|
|
`check_packages.sh` is a wrapper script which reads a list of packages to check from a `packages.list` file. Add the packages you want to check to this file, one package per line, and start the script:
|
|
|
|
```
|
|
./check_pages.sh
|
|
```
|
|
|
|
It will only report packages that have a mismatch.
|