DEV Community

loading...

Node-Secure v0.8.0

Gentilhomme
API & Node.js lead at MyUnisoft. Node.js Security WG member. SlimIO Maintainer.
・3 min read

Hello,

It's been a while since I've had the opportunity to write an article here (Slightly less free time for open-source at the moment).

Today I released the version 0.8.0 of Node-secure (not a pre-release this time).

Let's dive directly into what's new since the last article;

JS-X-Ray 2.3.0

A lot of improvement has been made on the static analysis. The number of "encoded-literals" warnings has been reduced by 50%!

The analysis is also capable to detect Morse code 😆 (not a joke).

Verify command on a local project

It is now possible to run the verify command on a local project. You just have to omit the package name (as for the auto command).

$ nsecure verify
Enter fullscreen mode Exit fullscreen mode

Search packages by size

The search bar now allows you to filter packages by their size. Example with express:

image

Under the hood it use a package i created: size-satisfies

Inspect and show warning code

This new version add an "inspect" column to the warnings popup. If you make a click it will load and display the code in a little block.

image

Thanks to tony for his work on the feature. It took us several weeks to get a result we were happy with.

Replacing webpack with esbuild

The UI build with esbuild instead of webpack. Now the build is done in about 200ms and we have removed all dependencies related to webpack.

New flag for native addons 🐲

We added the flag hasNativeCode 🐲 if the package contains anything related to a native addon:

  • .c, .cpp, .gyp file extensions
  • a dependency known to be useful for native addon (node-gyp, node-addon-api, prebuildify... things like this).
  • "gypfile" property is true in the package.json

image

Summary command

A new "beta" command we added to show a summary for a given Nsecure JSON payload (as we do in the interface).

image

Thanks again to tony who worked on the feature. ⚠️ There are still missing elements that will certainly be added in the next version.

The github issue is available here.

Other contributions

  • Global warnings are now also displayed at CLI runtime so that they don't go unnoticed.
  • Global warnings are also part of the i18n.
  • Use Github actions instead of Travis.
  • Add the version of Node-secure in the JSON payload.
  • Enhance flags description (HTML).

Thanks to Tony, Targos, Mickeal and kecsou for all the contributions.

Release available here.

What's next ?

  • Adding support for Snyk and Npm audit to detect and fetch CVE.
  • Taking into account the compatibility of the version when loading the json - PR open by Tony.
  • Rework part of the UI with web component (i'm already working on a POC).
  • Use D3.js instead of Vis.js (no POC on how we will do this yet).
  • Working a lot to enhance JS-X-Ray and the static analysis.

If you think you have ideas don't hesitate to come talk and contribute.

Conclusion

A version that took a long time to be published but in the end I am still satisfied with the progress made.

Thanks for reading!

Best Regards,
Thomas

Discussion (0)