npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2024 – Pkg Stats / Ryan Hefner

jsinstallguard

v0.1.8

Published

Small security wrapper around the package manager which intercepts any preistall and postinstall scripts.

Downloads

4

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

ashwardashward

Keywords

jsigsecurityinstallpreinstallyarnnpm

Readme

JSInstallGuard

JSInstallGuard is a small security wrapper around the package manager which intercepts any preinstall and postinstall scripts.

These are commonly the point where malicious code is inserted in compromised npm packages. By preventing these scripts running until they have been explicitly trusted, then this helps detect any potential malicious intent before it can do any damage.

Package install scripts are checked against an allow list, and if they have not been explicitly allowed then the script will be blocked.

It supports both yarn and npm package managers.

Getting Started

You have two options for installation. You can use the existing manual installation method (1a) as before, or you can now install it via npm or yarn (1b). Whichever method you choose make sure you check it's working before you install all your dependencies!

1a. Manual Installation

Because JSInstallGuard needs to be in place before the packages are installed, it needs to be manually copied into your project directory, ideally before your very first yarn install or yarn add.

Download the code as a zip

You can get the latest from: https://github.com/ashward/jsinstallguard/archive/master.zip

curl -LO https://github.com/ashward/jsinstallguard/archive/master.zip

Note: I know this is the master branch, but I will add versioning and proper releases soon!

Unpack the zip and copy the files from the jsinstallguard/ directory into the root of your project.

Unzip the files

unzip master.zip

And copy them into /your/project/root

cp -r jsinstallguard-master/files/. /your/project/root/

This will add:

  • A .jsig/ directory which contains the JSInstallGuard code (feel free to inspect it and make sure you trust what it's doing.)
  • A .yarnrc file which will ensure that it's actually JSInstallGuard that runs when you run yarn
  • A .npmrc file which will ensure that it's actually JSInstallGuard that runs when you run npm
  • A jsig-allow.json file which contains an array of the allowed scripts. Add an entry to the allow array to allow a trusted script to run.

If you already have a .yarnrc or .npmrc file then you will need to manually merge it.

1b. Installation via the package manager (experimental)

How you install it via the package manager will depend on what stage your project is at. This is because running yarn add ... or npm install ... will also trigger an install of all the other project dependencies, and this would occur before JSInstallGuard is running.

Therefore, if you have a new project without any dependencies, follow option (a). If you are installing this into an existing project which doesn't currently have JSInstallGuard installed, use option (b).

a) For a newly initialised project

If your project is newly initialised and doesn't have any dependencies then you can simply install it (after running yarn init or npm init) using your package manager:

yarn

yarn add --dev jsinstallguard

npm

npm install --save-dev jsinstallguard

b) For an existing project

It is recommended to remove your node_modules directory if you have one
rm -rf node_modules
Re-create a blank node_modules directory.

This isn't strictly necessary, but can save some confusion in some circumstances due to the way package managers decide which directory to install into.

mkdir node_modules
Rename your existing package.json file

This is so that no other dependencies are installed at the same time

mv package.json package.json.bak
Install the module

yarn

yarn add jsinstallguard

npm

npm install jsinstallguard
Put your package.json back again
mv package.json.bak package.json

2. Check it's working

From your project root, run

yarn --version

will check it's working with yarn

and

npm

will check it's working with npm

If it's working then you will see something like the following at the top of both the outputs:

👮‍♀️   JSInstallGuard: Using JSIG version: x.x.x`

If you see the above you can start installing packages!

3. Install your packages

When you install or add packages, when one tries to run an install script then you will see an error.

You should then do what you need to do to make sure you trust the script it's running.

If you do trust it then add the given line to the allow: [] array in jsig-allow.json.

If you find something potentially dodgy or malicious then please report it to npmjs: https://docs.npmjs.com/reporting-a-vulnerability-in-an-npm-package

4. Commit it into your project and share the love

You should commit all the JSInstallGuard files and directory (.jsig/, .yarnrc, .npmrc, and jsig-allow.json) into your project source control so that everyone gets the benefit!

Removing it from your project

If you want to remove JSInstallGuard from your project:

Delete the files

rm -rf .jsig

Remove the relevant lines from .npmrc and .yarnrc

From .npmrc remove the line starting with onload-script= (or delete the whole file if that's the only line)

From .yarn remove the line starting with yarn-path (or delete the whole file if that's the only line)

Remove the package from the package manager (if you installed it that way)

yarn

yarn remove jsinstallguard

npm

npm uninstall jsinstallguard

Note that doing this on its own doesn't currently remove the files, so you will still need to manually remove the files as above.

License

MIT

Acknowledgments

  • Thanks to https://github.com/martin-bucinskas for his invaluable help with testing and debugging!