npm-publish-date
v1.0.0
Published
See the publish date of NPM packages
Downloads
13
Readme
:timer_clock: npm-publish-date
- :white_check_mark: See the publish date of NPM packages easily.
- :white_check_mark: Validate publish dates to avoid installing packages with embedded malware.
- :white_check_mark: List the publish date of installed packages.
:arrow_down: Installation
Installing globally
npm i -g npm-publish-date
yarn global add npm-publish-date
You can also use npx npm-publish-date <command>
or yarn create npm-publish-date <command>
to run the CLI just once.
:ok_hand: Usage
List
List the publish date of installed packages.
# Syntax:
# npd list [packages...] [options]
# Arguments:
# [packages...] ➡️ Package names to filter (without scope and version).
# Options:
# -a or --all ➡️ Show the entire package tree.
# -d or --depth <depth> ➡️ Filter packages using its depth in the package tree.
# -j or --json ➡️ Return data in JSON format.
# Example:
npd list express --all
View
See the publish date of any package.
# Syntax:
# npd view [packages...] [options]
# Arguments:
# [packages...] ➡️ Package names in the format: @scope/package@version
# Options:
# -a or --all ➡️ Show the entire package tree.
# -d or --depth <depth> ➡️ Filter packages using their depth in the package tree.
# -j or --json ➡️ Return data in JSON format.
# Example:
npd view react axios@latest [email protected] --all
Validate
Validate packages publish date.
# Syntax:
# npd validate [packages...] [options]
# Arguments:
# [packages...] ➡️ Package names in the format: @scope/package@version
# Options:
# -m or --min-days <minDays> ➡️ Minimum days elapsed since package publication.
# -a or --all ➡️ Validate the entire package tree.
# -d or --depth <depth> ➡️ Filter packages using their depth in the package tree.
# -j or --json ➡️ Return data in JSON format.
# Example:
npd validate eslint redux@latest --all --min-days 2
:no_good_man: Avoid Installing Packages With Embedded Malware
In October and November of 2021 three very popular NPM packages with millions of downloads were published with embedded malware. Infected computers had all the secrets and keys stolen by the malicious code executed with a simple npm install
.
The good news is that this type of problem usually resolves itself within hours. The bad news is that hackers will likely do the same again.
This library was created to protect us from getting hacked while installing NPM packages. Just validating the publish date is not the best protection strategy, but it can save our accounts.
Click in the links to see more about:
- Github Advisories - Embedded malware in ua-parser-js
- Github Advisories - Embedded malware in rc
- Github Advisories - Embedded malware in coa
:man: Author
Luan Eduardo da Costa | Follow me on Linkedin