
Npm-lint – An opinionated checker for your npm package - tanepiper
https://github.com/tanepiper/npm-lint
======
tanepiper
The initial rational behind this was NPM releasing NPX, and in doing so me
finding out that both can run scripts from Gist. This set alarms off for me as
a potential security attack vector.

I raised the issue with a ([https://github.com/tanepiper/steal-ur-
stuff](https://github.com/tanepiper/steal-ur-stuff)) that showed - a module
with no dependencies, but a post-install script running npx to grab
bash_history and post it to example.com - but the point was made that even
with it being more public now with npx, this has always been a risk in NPM
([https://twitter.com/maybekatz/status/884808186993164289](https://twitter.com/maybekatz/status/884808186993164289))

So what is npm-lint? It's an opinionated tool that currently checks the
package.json file against rules defined in a .npmlint.json file with a default
that looks like this:

    
    
        {
          "properties": ["description", "main", "author", "license"],
          "scripts": {
              "allow": ["node", "npm", "echo", "exit"]
          },
          "dependencies": {
              "checkLatest": false,
              "sources": ["latest", "https://github.com", "http://bitbucket.org"]
          }
      }
    

The tool will first check the properties of the file to check that these are
set (name and version are always checked and not needed - and in a newer
version I also have validation rules for checking the value itself is valid)

For scripts you can set an allowed set of executable that can be used in
scripts. In the above example if you have a script that does a git or curl
command it will cause an error and you will need to add this to the json file.

For dependencies, it excludes anything with a valid semver for now (assuming
that this is safe) but will then check to see what the other values are. In
this case if a dependency points to a gist, or a git repo that is not github
or bitbucket it will error. You can essentially white list any source that
isn't the npm registry. Finally it has checkLatest which when set to true,
currently uses npm-check-updates to find the latest versions. One further idea
here is to tie into a vulnerability database like snyk to advise of potential
risky modules.

Most of the rules are quite simple just now, but I'd like to expand them to be
more configurable (such as issuing a warning instead of an issue if a github
source is for, for example). Eventually this should resolve for all
dependencies in a tree of a module, so it also checks dependencies of
dependencies for issues.

It's been developed over the last couple of days and now uses async/await for
a much cleaner control flow.

Any feedback is welcome :)

