This past week I’ve decided to put a little more love into my
east5th:package-scan project. In an attempt to lower the barrier of entry for using the tool, I’ve given it a super-simple web interface. Check it out at scan.east5th.co!
The tool lets you select or drop in a Meteor
versions file, which will then be compared against the list of packages with known security issues. If any matches are found, it’ll display those vulnerable package alerts on the page.
I made a conscious decision to not send
versions files to the server to do the scanning. Instead, I pull the
alerts.json file into the browser, along with a browserfied version of semver, and run the scan directly in on the client. This way, the users’
versions files never leave their browser.