Skip to content
flag

GitHub Action

is-my-node-ok

v0.1.1 Latest version

is-my-node-ok

flag

is-my-node-ok

checks if your Node.js installation is vulnerable to known security vulnerabilities

Installation

Copy and paste the following snippet into your .yml file.

              

- name: is-my-node-ok

uses: mirasayon/[email protected]

Learn more about this action in mirasayon/is-my-node-ok

Choose a version

is-my-node-ok

This package helps ensure the security of your Node.js installation by checking for known vulnerabilities. Minimum Node.js version: 7.10.1 It compares the version of Node.js you have installed (process.version) to the Node.js Security Database and alerts you if a vulnerability is found.

Usage

npx is-my-node-ok

It's strongly recommended to include this as a step in the app CI.

Output - When vulnerable

$ node -v
v20.3.0
$ npx is-my-node-ok

Danger

The current Node.js version (v20.3.0) is vulnerable to the following CVEs:

CVE-2023-30581: The use of proto in process.mainModule.proto.require() can bypass the policy mechanism and require modules outside of the policy.json definition
Patched versions: ^16.20.1 || ^18.16.1 || ^20.3.1
==================================================================================================================================================================================

Output - When non-vulnerable

$ node -v
v20.17.0
$ npx is-my-node-ok

All good :)

Output - when end of life

$ node -v
v15.14.0
$ npx is-my-node-ok

Danger


v15.14.0 is end-of-life. There are high chances of being vulnerable. Please upgrade it.

End-of-Life versions don't keep track of recent security releases, therefore, it's considered vulnerable by default.

API

This package also exports a function isNodeVulnerable to perform the check in runtime

const { isNodeVulnerable } = require('is-my-node-ok')

isNodeVulnerable('19.0.0') // true

Optionally you can define the platform with the argument platform to limit the scope. The available platforms are the same values available in for os.platform().

const { isNodeVulnerable } = require('is-my-node-ok')

isNodeVulnerable('19.0.0', 'linux') // true

Github Action

This package also provides a GitHub Action, just include the node-version in the yml as follows in order to check a specific version:

name: "Node.js Vulnerabilities"
on: 
  schedule:
    - cron: "0 0 * * *"

jobs:
  is-my-node-ok:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      - name: Check Node.js
        uses: MIrasayon/is-my-node-ok
        with:
          node-version: "18.14.1"

Optionally you can define the platform with the argument platform to limit the scope. The available platforms are the same values available in for os.platform().

      - uses: actions/checkout@v3
      - name: Check Node.js
        uses: MIrasayon/is-my-node-ok
        with:
          node-version: "18.14.1"
          platform: "linux"