use npm safety
npm repository may contain some harmful packages,
and these packages may protect them use some similar words as popular package,
good-jsmay contain harmful codes.
use npmsafe instead of npm
npm i npmsafe -g
git clone firstname.lastname@example.org:ueqt/npmsafe.gitcd npmsafenpm link
npm remove npmsafe -g
support all commands and arguments that npm support.
$ npmsafe install express
cd to folder which contains package.json, this command will check packages in package.json.
if something not verified, you can check it's downloads count in last month to judge it safe or not.
$ npmsafe checkAnalysing ~/git/xxx/package.jsonNot verified: 7mysql [ 171232 ]moment [ 1025532 ]later [ 6008 ]nodemailer [ 242134 ]nodeutil [ 1111 ]lodash [ 7512304 ]influx [ 5146 ]You can choose one choice:[ 1 ].Stop[ 2 ].Continue[ 3 ].Continue and save to whitelistPlease input your choice:
I will add much internal whitelist, but you still need more whitelist.
So when you choose 3 in install time, it will save to your custom whiltelist.
Custom whitelist is at
~/.npmsafe/customWhiteList.txt , you can also edit it manually.
make a tool to automatically check npmjs repository and create whitelist.json more reliable