Home

Awesome

sdc-check

Small tool to inform you about potential risks in your project dependencies list:

Usage

Add to your project

Add new npm command to script section in your package.json

"scripts": {
  "sdc-check": "sdc-check -d .",
}

Use in your CI pipeline

Add new step to your pipeline

# Github Actions example:
- name: Check dependencies with sdc-check
run: yarn sdc-check

Configure

Add new "sdc-check" section in your package.json to change defaults

"sdc-check": {
  "options": {
    "limitOfDecisionMakers": 7,
    "daysBeforeUpgradeToNewVersion": 5,
    "monthsOfInactivityAllowed": 10
  },
  "errors": [
    "package-is-too-new",
    "lockfile-is-not-safe",
    "has-os-scripts",
    "dangerous-shell-commands"
  ]
}

Ignore errors (do it wisely)

Add .sdccheckignore to your project root directory

# Ignore errors caused by unmaintained-package metric for sdc-check@1.0.0
sdc-check@1.0.0 | unmaintained-package

# Ignore all errors for sdc-check@1.0.0
sdc-check@1.0.0

# Ignore errors caused by unmaintained-package and
# released-after-long-period-of-inactivity metrics for sdc-check
sdc-check | unmaintained-package, released-after-long-period-of-inactivity

# Ignore all errors for sdc-check
sdc-check

Check npm package

Find out more about a package before adding it to your dependencies list

npx sdc-check -p ua-parser-js -v 1.0.2

Wandering what has changed in the newest version of some package?

Use npm diff command to find out

npm diff --diff=dependency@1.2.3 --diff=dependency@1.3.5

Common threats in supply chain security

  1. Malicious code injection: During the development process an attacker could add malicious code to a package codebase (it is dangerous because it may be hard to catch in PR review).

  2. Malicious package release: An attacker may publish malicious packages and hence trick other users into installing or depending on such packages.

  3. Social Engineering: An attacker may manipulate a maintainer to hand over sensitive information.

  4. Account Takeover: An attacker may compromise the credentials of a maintainer to inject malicious code under the maintainer’s name.

  5. Ownership transfer: An attacker can show enthusiasm to maintain popular abandoned packages and transfer the ownership of a package.

  6. Remote execution: An attacker may target a package by compromising the third-party services used by that package.

Install

npm i -D sdc-check

or

yarn add -D sdc-check

Acknowledgments

License

MIT