A Node.js tool to review dependencies changes to:
- Prevent supply chain attack.
- Catch API breaking changes.
- Learn from your dependencies.
In general, it adds open dependencies practice to your project and stop treating node_modules as a black box.
It supports: npm, pnpm, yarn 1, yarn berry, GitHub Actions.
First, reduce risk of exposing system to malware during the update.
Disable postinstall for npm:
npm config set ignore-scripts true
# We also recommend switching to pnpm where postinstall is disabled by defaultIt is also recommended of using Dev Container or at least run shell in container.
Install Multiocular:
npm install multiocular
# pnpm install multiocularUpdate dependencies
# For npm
npx npm-check-updates
npm update
# For pnpm
pnpm update-interactive --latest
pnpm update
# For GitHub Actions
npx actions-upStart web UI to review changes:
npx multiocularIf you have GitHub API limit, define GITHUB_TOKEN environment variable with personal token with access to public repositories.
Current practice of treating dependencies and free black boxes is creating a lot of issues in our industries.
For instance, Supply chain attack when malware added to dependencies by stealing maintainer account. Recent, chalk/debug, nx, and GitHub Actions examples are showing that it is just beginning.
We suggest another open dependencies model, when team should track dependencies. It means less dependencies and more attention to it. But this is the only solution we see.