This project is a Node.js CLI tool to identify which of a project's existing dependencies are utilising npm lifecycle scripts, which could be malicious.
The currently configured npm scripts the tool will identify are:
preinstall
, postintall
, preuninstall
, postuninstall
Note: This project is to educate, so should not be used as a complete npm security solution.
# install globally, using npm
$ npm install npm-viewscripts -g
# Run the cli on a project
$ cd my-node-project
$ npm install
$ npm-viewscripts
$ npm-viewscripts
Usage
$ npm-viewscripts [path]
Options
path Modules folder [Default: node_modules]
Positive report example:
Potentially unsafe scripts found. These should be reviewed for safety
Module name: monorepo-symlink-test Type: postinstall
The above output informs us that the monorepo-symlink-test
is running a postinstall
script, so we should review that, and ensure that it is safe.
Negative report example:
No potentially unsafe scripts found.
No modules in the project are currently using scripts which could be used maliciously.