npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2024 – Pkg Stats / Ryan Hefner

tater-taudit

v1.0.6

Published

Security vulnerability assistant

Downloads

1

Readme

npm (scoped) NPM npm

Security vulnerability assistant

Resolve security vulnerabilities found with yarn audit (Dependabot or npm audit). Automatically fix them when possible, and get assistance when not. It will walk the tree of dependencies to find the best path forward.

Requirements

Requires npm and yarn to be globally installed, but works with package-lock.json or yarn.lock files.

Run commands in the directory containing your main package.json file.

Getting Started

A great place to start is the "log" command. This is also the best path when updating everything to the latest is not resolving vulnerabilities.

In your package.json directory, run this command to get the details of your project vulnerabilities and potential routes to fix.

npx tater-taudit@latest log

Note: piping the command to a file can sometimes be helpful when there are a lot of vulnerabilities. Some cleanup may be necessary to make it valid JSON. EG:

npx tater-taudit@latest log > taterlog.json

Example output:

{
  "dependents": [
    {
      "dependents": [
        {
          "dependents": [],
          "name": "svgo",
          "earliestExistingVersion": "1.3.2",
          "latestViableVersion": "2.3.1",
          "recommendedViableVersion": "2.3.1",
          "minimumViableVersion": "2.3.1"
        }
      ],
      "name": "css-select",
      "earliestExistingVersion": "0.1.1",
      "latestViableVersion": "4.1.3",
      "recommendedViableVersion": "4.1.3",
      "minimumViableVersion": "4.0.0"
    }
  ],
  "name": "css-what",
  "patchedVersions": ">=5.0.1",
  "version": "3.4.2",
  "earliestExistingVersion": "3.4.2",
  "latestViableVersion": "5.0.1",
  "recommendedViableVersion": "5.0.1",
  "minimumViableVersion": "5.0.1"
}

This example tells us that css-what is vulnerable, and patched in versions >=5.0.1, but that we are using a vulnerable version "3.4.2". Then it shows us that css-select is the package depending on css-what, but that it has a version that resolves it starting in version "4.0.0". It finds that "4.1.3" is the latest version and recommends that.

It then continues to svgo, which depends on css-select, and so on. Using the fix command, you will end up with an upgrade command for each dependency found here with a viable version, and an install/add for each top level dependency with a viable version.

If there is a fix available starting with multiple major versions, it will attempt to use the major version that you are currently using, before recommending the latest version.

Upgrade vulnerable packages

Find what packages need to be updated. In your package.json directory, run this command to get a list of commands that could be used to potentially resolve vulnerabilities:

npx tater-taudit@latest fix

Example output:

yarn upgrade svgo
yarn upgrade css-select

Automatically run the recommended commands by passing "-a":

npx tater-taudit@latest fix -a

Options

  -a, --all            Run all available fixes automatically
  -d, --dry            Log commands that would effect the repo
                       instead of running them
  -m, --major_upgrade  Attempt to install newer versions (perhaps
                       major; breaking changes)
  -n, --npm            Replace yarn with npm in output commands
  -u, --upgrade        Upgrade audit dependencies with a fix
                       available
  -h, --help           display help for command

  Examples:
    $ tater-taudit fix
      -- Runs all available fixes but only logs the commands that would be run
    $ tater-taudit fix -a
      -- Runs all available fixes
    $ tater-taudit fix -d
      -- Only logs the commands that would be run
    $ tater-taudit fix -u
      -- Upgrades all dependents down to the lowest dependency found in the audit with a dependency that has a fix available
    $ tater-taudit fix -m
      -- Upgrades all top level dependencies with a fix available that is not permitted by the current locked version