SO ,
Every time you run:
npm install some-package
you are executing someone else's code on your machine.
But hereβs the uncomfortable truth:
Do you really know what that code is doing?
Most donβt.
π From User to Producer: How I Realized the Risk
Before I first started building npm packages, I was just a user like everyone else. Install a package, trust it works, move on.
But when you switch from user β producer, everything changes: you see how packages execute, which scripts run automatically, and the sheer power even a tiny package can hold.
Then I read about this: npm supply-chain attack happened sometime back.
A single compromised package could affect millions of machines.
π‘ Thatβs when I thought:
βEven a small package can impact huge systems. What if we could see what it does before we install it?β
That thought sparked npm-telemetry.
β οΈ The Problem With Blind Trust
npm packages can:
- π Make network requests
- π Access the file system
- π Read environment variables
- βοΈ Spawn child processes
- π§ Execute dynamic code (
eval/new Function) - π¦ Run postinstall scripts
Most developers only realize this after something goes wrong. Supply-chain attacks are becoming increasingly common β and frighteningly easy.
npm-telemetry gives visibility upfront, letting you make informed decisions before installing.
π Introducing npm-telemetry
npm-telemetry is a lightweight CLI and Node.js library that inspects packages and reports on their capabilities.
Think of it as a nutrition label for npm packages: you inspect, you understand, you trust consciously.
What It Detects
- π Network access
- π File system read/write
- π Environment variable access
- βοΈ Child processes
- π§ Dynamic execution (
eval/new Function) - π¦ Postinstall scripts
It also calculates an analysis coverage score, so you know how thoroughly the package was inspected.
πββοΈ Getting Started
No global installation needed. Run:
npx npm-telemetry <package_name>
Example:
npx npm-telemetry axios
Output:
π Analysis Report: axios
Permissions:
π Network: YES
π FS Read: NO
π FS Write: NO
π Env Access: NO
βοΈ Child Process: NO
β Dynamic code execution: NO
β Postinstall script: null
β Instantly know what the package is capable of doing.
π» Programmatic Usage
Integrate npm-telemetry into CI pipelines, dashboards, or custom scripts.
CommonJS
const analyzePackage = require("npm-telemetry");
(async () => {
const result = await analyzePackage("axios");
console.log(result.coverage);
console.log(result.report.network);
})();
ES Modules
import analyzePackage from "npm-telemetry";
const result = await analyzePackage("axios");
console.log(result.coverage);
console.log(result.report.network);
Returned object:
{
"package": "axios",
"coverage": 92,
"report": {
"fsRead": false,
"fsWrite": false,
"network": true,
"env": false,
"childProcess": false,
"usesEval": false,
"dynamicRequire": false,
"postinstall": null
}
}
π¬ How npm-telemetry Works
Under the hood:
- Scans package code for sensitive APIs
- Detects dynamic code (
eval,new Function) - Flags postinstall scripts
- Generates a coverage score
π‘ No execution happens on your machine, keeping it safe.
[Package]
β
[npm-telemetry analysis]
β
[Permissions report & coverage score]
π‘ Why This Matters
npm-telemetry:
- Makes dependency behavior visible
- Lets developers audit packages before installing
- Helps enforce security policies
- Enables custom risk scoring
Not to accuse packages, but to give developers conscious control.
π‘ Philosophy
Every dependency should answer one question:
βWhat am I doing on your system?β
npm-telemetry provides visibility, honesty, and peace of mind.
Software shouldnβt be magic β trust should never be blind.
β Try It Yourself
npx npm-telemetry <package_name>
Inspect any npm package before installing it β you may be surprised at what you discover.
Here's the link to package : https://www.npmjs.com/package/npm-telemetry
Top comments (0)