npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2024 – Pkg Stats / Ryan Hefner

tater-audit

v0.0.9

Published

Security vulnerability assistant

Downloads

3

Readme

Moved to tater-taudit

https://github.com/jtmckay/tater-taudit https://www.npmjs.com/package/tater-taudit

Security vulnerability assistant

Resolve security vulnerabilities found with yarn audit (Dependabot or npm audit). Automatically fix them when possible, and get assistance when not. It will walk the tree of dependencies to find the best path forward.

Getting Started

Find what packages need to be updated. This command will log commands that could be used to potentially resolve vulnerabilities:

npx tater-audit@latest fix

Example output:

yarn upgrade svgo
yarn upgrade css-select

Automatically run the recommended commands by passing "-a":

npx tater-audit@latest fix -a

When you want details

The "log" command will give you the details of your project vulnerabilities and potential routes to fix. This is sometimes the best path forward to resolve dependencies that haven't made it up the tree to their parents yet.

npx tater-audit@latest log

Example output:

{
  "name": "css-what",
  "patchedVersions": ">=5.0.1",
  "dependents": [
    {
      "name": "css-select",
      "dependents": [
        {
          "name": "svgo",
          "dependents": [],
          "earliestExistingVersion": "1.3.2",
          "latestViableVersion": "2.3.1",
          "recommendedViableVersion": "2.3.1",
          "minimumViableVersion": "2.3.1"
        }
      ],
      "earliestExistingVersion": "0.1.1",
      "latestViableVersion": "4.1.3",
      "recommendedViableVersion": "4.1.3",
      "minimumViableVersion": "4.0.0"
    }
  ],
  "version": "3.4.2"
}

This example tells us that css-what is vulnerable, and patched in versions >=5.0.1, but that we are using a vulnerable version "3.4.2". Then it shows us that css-select is the package depending on css-what, but that it has a version that resolves it starting in version "4.0.0". It finds that "4.1.3" is the latest version and recommends that.

It then continues to svgo, which depends on css-select, and so on. Using the fix command, you will end up with an upgrade command for each dependency found here with a viable version, and an install/add for each top level dependency with a viable version.

If there is a fix available starting with multiple major versions, it will attempt to use the major version that you are currently using, before recommending the latest version.

Options

  -a, --all            Run all available fixes automatically
  -d, --dry            Log commands that would effect the repo
                       instead of running them
  -m, --major_upgrade  Attempt to install newer versions (perhaps
                       major; breaking changes)
  -n, --npm            Replace yarn with npm in output commands
  -u, --upgrade        Upgrade audit dependencies with a fix
                       available
  -h, --help           display help for command

  Examples:
    $ tater-audit fix
      -- Runs all available fixes but only logs the commands that would be run
    $ tater-audit fix -a
      -- Runs all available fixes
    $ tater-audit fix -d
      -- Only logs the commands that would be run
    $ tater-audit fix -u
      -- Upgrades all dependents down to the lowest dependency found in the audit with a dependency that has a fix available
    $ tater-audit fix -m
      -- Upgrades all top level dependencies with a fix available that is not permitted by the current locked version