Skip to content
/ is-my-node-ok Public

Package that checks if your Node.js installation is vulnerable to known security vulnerabilities

License

MIT license
1 star 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

mirasayon/is-my-node-ok

Use this GitHub action with your project
Add this Action to an existing workflow or create a new one
View on Marketplace
BranchesTags

Repository files navigation

is-my-node-ok

This package helps ensure the security of your Node.js installation by checking for known vulnerabilities. Minimum Node.js version: 7.10.1 It compares the version of Node.js you have installed (process.version) to the Node.js Security Database and alerts you if a vulnerability is found.

Usage

npx is-my-node-ok

It's strongly recommended to include this as a step in the app CI.

Output - When vulnerable

$ node -v
v20.3.0
$ npx is-my-node-ok

Danger

The current Node.js version (v20.3.0) is vulnerable to the following CVEs:

CVE-2023-30581: The use of proto in process.mainModule.proto.require() can bypass the policy mechanism and require modules outside of the policy.json definition
Patched versions: ^16.20.1 || ^18.16.1 || ^20.3.1
==================================================================================================================================================================================

Output - When non-vulnerable

$ node -v
v20.17.0
$ npx is-my-node-ok

All good :)

Output - when end of life

$ node -v
v15.14.0
$ npx is-my-node-ok

Danger


v15.14.0 is end-of-life. There are high chances of being vulnerable. Please upgrade it.

End-of-Life versions don't keep track of recent security releases, therefore, it's considered vulnerable by default.

API

This package also exports a function isNodeVulnerable to perform the check in runtime

const { isNodeVulnerable } = require('is-my-node-ok')

isNodeVulnerable('19.0.0') // true

Optionally you can define the platform with the argument platform to limit the scope. The available platforms are the same values available in for os.platform().

const { isNodeVulnerable } = require('is-my-node-ok')

isNodeVulnerable('19.0.0', 'linux') // true

Github Action

This package also provides a GitHub Action, just include the node-version in the yml as follows in order to check a specific version:

name: "Node.js Vulnerabilities"
on: 
  schedule:
    - cron: "0 0 * * *"

jobs:
  is-my-node-ok:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      - name: Check Node.js
        uses: MIrasayon/is-my-node-ok
        with:
          node-version: "18.14.1"

Optionally you can define the platform with the argument platform to limit the scope. The available platforms are the same values available in for os.platform().

      - uses: actions/checkout@v3
      - name: Check Node.js
        uses: MIrasayon/is-my-node-ok
        with:
          node-version: "18.14.1"
          platform: "linux"

About

Package that checks if your Node.js installation is vulnerable to known security vulnerabilities

Resources

Readme

License

MIT license
Activity

Stars

1 star

Watchers

1 watching

Forks

0 forks
Report repository

Releases 3

v0.1.1 Latest
Oct 27, 2024
+ 2 releases

Packages

No packages published

Languages