Sinkchart - open source visualisation tool for your JS dependencies

Sebastian Vaduva — Thu, 10 Nov 2022 14:21:26 +0000

Understanding and visualising is critical to better understand your app's structure and more importantly - package vulnerabilities.

This is why we've created Sinkchart - beautiful Visualizations For Your App's Dependencies

Sinkchart offers two types of visualisations: Treemap and Tree

*Treemap: *

Node colors represent the dependency depth;
Node surface represents the size of the corresponding directory under node_modules;
A dotted pattern in a node background means the package is a shared dependency, required by multiple packages, and present multiple times in the chart;
Shared dependency sizes are added to every dependent package, to represent the independent size structure properly; hence, the displayed size might be larger than the actual size on disk;
A red package background means the package has direct vulnerabilities;
A purple package background means the package depends on other vulnerable packages;
Click on a node to make the tooltip persist; click outside to close it;

When representing deep dependencies, the surface area of certain packages might reach zero, making them invisible.

Tree:

Nodes are grouped by color based on the root dependency that they belong to;
Red text in a package name means the package has direct vulnerabilities;
Purple text in a package name means the package depends on other vulnerable packages;
Click on a node to make the tooltip persist; click outside to close it;

By default, the tree chart has a maximum depth of 7, meaning only seven levels of dependencies will be represented, to keep the output readable; you can override this using the --md option.

Here are some samples of very popular packages:

Apollo Client 3.7.1

Tree
Treemap

Nest.js 9.1.2

Tree
Treemap

*Webpack 5.74.0
Tree
Treemap

You can check out your own's app Tree structure and Treemap visualisation - install Sinkchart now: yarn global add sinkchart # or npm install -g sinkchart

Sandworm.JS: sandboxing & malware detection for npm packages

Sebastian Vaduva — Tue, 13 Sep 2022 14:59:33 +0000

Sandworm.JS is a sandboxing & malware detection tool for npm packages

Rather than relying on CVE advisories, Sandworm watches lower-level APIs like the Node VM and browser APIs like DOM manipulation, fetch, etc., and throws when a package unexpectedly accesses these APIs.

While this won't protect against all classes of vulnerabilities, it assures that your project is safe from hand-crafted, zero-day vulnerabilities that leave your data open to attack until a CVE is issued and a fix is published.
Most tools in this space currently use static analysis to scan a package's source and infer potential threats by looking at code patterns, invoked methods, or loaded modules.

However, it's generally simple to trick such analysis tools using various obfuscation techniques. Static analysis is, therefore, not a definitive security solution and should be used in tandem with dynamic tools like Sandworm.

Sandworm does dynamic analysis in the runtime - it knows about what happens when it happens:
It can't let you know about possible vulnerabilities before it sees the code run;
It also can't capture information about "dormant" code that doesn't get executed;

No obfuscation or workaround can fool our interceptors, though: as soon as any code segment attempts to invoke a sensitive method, Sandworm will capture that call and be able to allow or deny access.

DEV Community: Sebastian Vaduva

Sinkchart - open source visualisation tool for your JS dependencies

Sandworm.JS: sandboxing & malware detection for npm packages