npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2024 – Pkg Stats / Ryan Hefner

grunt-retire

v1.0.9

Published

Grunt plugin for retire.

Downloads

7,171

Readme

grunt-retire

NPM version Retire Status

Grunt task for retire.js. Scanner detecting the use of JavaScript libraries with known vulnerabilities.

Getting Started

This plugin requires Grunt >=1.0.0. Version 0.3.12 is compatible with Grunt 0.4.

If you haven't used Grunt before, be sure to check out the Getting Started guide, as it explains how to create a Gruntfile as well as install and use Grunt plugins. Once you're familiar with that process, you may install this plugin with this command:

npm install grunt-retire --save-dev

Once the plugin has been installed, it may be enabled inside your Gruntfile with this line of JavaScript:

grunt.loadNpmTasks('grunt-retire');

Retire task

Run this task with the grunt retire command.

This task primarily delegates to Retire, so please consider the Retire documentation as required reading for advanced configuration.

Task targets, files and options may be specified according to the grunt Configuring tasks guide.

Available options

Example configuration below shows default option values and the correct syntax to use if you want to override any of them. If no options are provided, the default values as shown below are used.

    retire: {
      js: ['app/src/*.js'], /** Which js-files to scan. **/
      node: ['node'], /** Which node directories to scan (containing package.json). **/
      options: {
         proxy: 'http://something.something:8080',
         verbose: true,
         packageOnly: true, 
         jsRepository: 'https://raw.github.com/RetireJS/retire.js/master/repository/jsrepository.json',
         nodeRepository: 'https://raw.github.com/RetireJS/retire.js/master/repository/npmrepository.json',
         outputFile: './retire-output.json',
         ignore: 'documents,java',
         /** list of files to ignore **/
         ignorefile: '.retireignore' //or '.retireignore.json'
      }
    }

proxy: url, proxy (supports basic auth).

verbose: true/false, default is true. More verbose output (grunt -d may also be used for even more debug output).

packageOnly: true/false, default is true. Only scan only dependencies in package.json, skip dependencies to dependencies.

jsRepository: String, default is https://raw.github.com/RetireJS/retire.js/master/repository/jsrepository.json. JSON file which specifies where to retrieve Javascript vulnerability database.

nodeRepository: String, default is https://raw.github.com/RetireJS/retire.js/master/repository/npmrepository.json. JSON file which specifies where to retrieve Node vulnerability database.

outputFile: String, default is false. Path to creation of output file report in JSON format.

ignore: String, default is empty. Paths to ignore when scanning for JavaScript files.

Scan javascript files only

    retire: {
      js: ['app/src/*'], /** Scan js-files in app/src/ directory and subdirectories. **/
      options: {
      }
    }

Running grunt retire will scan files in app/src/ for vulnerable libraries. If file sources for both node and js are specified, scanning js only is possible using retire:js

Scan node dependencies example

    retire: {
      node: ['module/'], /** Scan node project in directory module/. Should be ['.'] for normal projects **/
      options: {
      }
    }

Running grunt retire will scan all dependencies specified under dependencies in package.json for vulnerable libraries. If file sources for both node and js are specified, scanning node only is possible using retire:node

Example output with one vulnerability found in jquery-1.6.js:

➜  grunt-retire git:(master) ✗ grunt retire
Running "retire:jsPath" (retire) task
JS repository loaded from: https://raw.github.com/RetireJS/retire.js/master/repository/jsrepository.json
>> test-files/jquery-1.6.js
>> ↳ jquery 1.6 has known vulnerabilities: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4969
Node repository loaded from: https://raw.github.com/RetireJS/retire.js/master/repository/npmrepository.json

Example output when no vulnerabilities are found

➜  grunt-retire git:(master) ✗ grunt retire
Running "retire:jsPath" (retire) task
JS repository loaded from: https://raw.github.com/RetireJS/retire.js/master/repository/jsrepository.json
Node repository loaded from: https://raw.github.com/RetireJS/retire.js/master/repository/npmrepository.json
No vulnerabilities found.

Done, without errors.

Release History

  • 2020-04-28 1.0.9 Upgrade vulnerable dependencies :)
  • 2020-04-15 1.0.8 Upgrade to latest version of retire.js
  • 2017-02-03   1.0.7 Added .npmignore so we don't publish test-files directory.
  • 2016-12-13   1.0.6 Added [email protected] as a dependency so we are compatible with [email protected].
  • 2016-11-29   1.0.5 Removed dependency request in package.json. Moved repository from bekk to RetireJS.
  • 2016-09-02   1.0.3 Compatible again with Node 0.10.x. v1.0.2 broke compatibility because of find().
  • 2016-08-29   1.0.2 Uses retire 1.2.x, which supports ignoring specific vulnerabilities through .retireignore.json.
  • 2016-05-31   1.0.0 Upgraded dependency for Grunt to 1.0.0 to get remove graceful-js warning. Requires Grunt 1.0.x or newer.
  • 2016-02-22   0.3.12 Added support for Grunt 1.0.0.
  • 2016-02-12   0.3.11   Upgraded dependencies.
  • 2013-11-12   0.1.15   Upgrading dependencies. Proxy support.
  • 2013-10-30   0.1.12   Upgrade to retire v0.1.12. js and node defined as targets.
  • 2013-10-30   0.1.0   First version.