Audits npm packages for any known-malicious package names.
npm install npm-malice-audit -g
This is a CLI tool, so it is invoked from the command line.
You must provide a manifest of packages. A manifest is an array of npm package names and can be provided in two ways:
Use this if you want to check multiple packages without installing them.
First, the tool will look for an npm-malice-audit.json file with contents like this:
[
"foo",
"bar"
]Use this if you want to check the dependencies of a project you have installed/cloned locally.
Second, the tool will look for a package.json file and use all of its dependencies, devDependencies, peerDependencies, and optionalDependencies as the package manifest.
If a non-empty manifest is found, a report similar to the following will be produced:
$ npm-malice-audit
---------
| async |
---------
Audited 673 packages.
Completed in 79.481 seconds.
Found 0 malicious packages in the tree!
----------
| lodash |
----------
Audited 1 packages.
Completed in 0.202 seconds.
Found 0 malicious packages in the tree!
-----------------
| npm-remote-ls |
-----------------
Audited 405 packages.
Completed in 42.203 seconds.
Found 0 malicious packages in the tree!
= SUMMARY ==============================
Audited 1079 total packages.
Completed audit in 121.899 seconds.
Found a total of 0 malicious packages!
You may also see an = ERRORS = section above the = SUMMARY =. This includes messages logged when there are problems looking up packages.
Note: Large packages with many dependencies can take a long time to resolve due to the need for many requests - patience is a virtue!