Thomas.G for NodeSecure

Posted on Mar 2, 2020 • Updated on Jan 16, 2023

NodeSecure release v0.5.0

#javascript #node #npm #security

Hello !

The "new" release v0.5.0 of node-secure has been published few hours ago. This release includes new features and a lot of UI improvement.

Do not hesitate to check the article on the v0.4.0 (which include a presentation of the project too).

I have made a little video to show the new UI and some of the new features (click on the image).

Release v0.5.0

💀 isDead flag

This is a new activity flag. This means that the dependency (the package) has not received any updates from at least one year and has at least one dependency that need to be updated.

The condition and the period of one year is still experimental.

In the payload the real name of the flag is hasOutdatedDependency. isDead is the composition of hasOutdatedDependency and the new metadata hasReceivedUpdateInOneYear.

New metadata in the payload

The payload has brand-new metadata that has been useful to create the new 💀 flag.

dependencyCount (Number of dependencies of the package)
hasReceivedUpdateInOneYear

🎭 Emoji on the network graph

This emoji is not a real flag and is only added in the UI to indicate that the package is already somewhere else in the dependency tree (with different versions).

New searchbar

The new search bar is still a prototype (the goal is to build a search bar with real query API like Discord or Github.). The complete search bar will land in v0.6.0 !

And it is even possible to filter:

Available filters are:

package (default)
version
license
ext
builtin (allow to search for usage of a given Node.js core dependency)
author
flag (the complete flag name)

Clickable list items

Some of the list items in the left menu are now clickable (showed in the presentation video). Depending on the kind of items, the action will be different:

Node.js dependencies (Open the Node.js documentation)
Third-party dependencies (Open and move to the dependency in the network graph)
Required Files (Open the file on github.. when possible).

Show more / Show less for list items

Only the first 5 rows are now displayed by default. Before this feature this was a nightmare to navigate when a given package had a LOT of dependencies and required files.

License popup

This version allows to click on the License field in the left menu.

This will open a popup with a table of all licenses used in the project with their conformance information.

New warnings

Warnings emoji has been refactored and has a new meaning. Now the payload can contain a list of warnings. These warnings are:

unsafe-import (the AST analysis has failed to retrieve the required/imported package/file name).
unsafe-regex (a vulnerable regex can lead to a ReDos attack).
ast-error (when an error occur in the AST analysis of the package).

Unsafe-import and unsafe-regex are related to a file with the exact position of the problem. Like licenses these warnings are available in a popup:

In the JSON it will produce an object like the following one

"warnings": [{
    "kind": "unsafe-regex",
    "start": {
        "line": 81,
        "column": 20
    },
    "end": {
        "line": 81,
        "column": 76
    },
    "file": "old.js"
}]

Improved flags: 👀 and 🔬

The AST analysis has been updated to support new patterns:

exclude dependency required in a try statement
exclude the package itself from the dependency list (case detected on ajv).
exclude one line CJS require from being detected as "minified" file.

Example

modules.exports = require("./src/file.js");

Better CLI

The CLI will now give you a clear state of what is going on under the hood with some new lazy spinners!

--keep for nsecure auto command

By default the .json file will be removed when the CLI is closed with the auto command. This can be disabled with the --keep (-k) flag.

This makes the default behavior of auto more consistent.

nsecure auto express --keep

A lot more...

A lot of refactoring has been done and new tests has been added to the project!

What's next ?

The next release will "surely" include:

The final search-bar prototype with a complete query API.
A new CLI command to run an AST analysis on a given npm package.
New warnings ? (I want to implement a secrets detection.. not sure "how" yet).
More tests, more stability etc.

One of the next major features to implement is the support of package-lock.json (the current analysis may not match the current locked project dependency tree).

And surely more with the feedbacks of those who use the tool.

Bonus

With my team we are working on a customizable open-source Security report that use node-secure under the hood to analyze a given list of packages and git repositories. I will write a complete article when the project will be done (soon).

The project on github: https://github.com/SlimIO/Security

Preview of the design report (white theme available too).