A defensive security tool that scans npm packages for vulnerabilities before installation, helping protect your system from compromised packages.
This scanner allows you to check for known vulnerabilities in npm packages BEFORE running npm install, protecting your system from potentially malicious or compromised packages.
- Scans single package.json files
- Supports npm workspaces (monorepos with multiple package.json files)
- Color-coded vulnerability severity levels
- Detailed vulnerability reports with recommendations
- Returns non-zero exit code when vulnerabilities are found (CI/CD friendly)
npm install -g @onamfc/npm-vuln-scannerOr use with npx without installing:
npx @onamfc/npm-vuln-scannerScan the current directory:
npm-vuln-scanScan a specific directory:
npm-vuln-scan /path/to/projectconst { scanPackages } = require('@onamfc/npm-vuln-scanner');
async function checkProject() {
const { success, results } = await scanPackages('/path/to/project');
if (!success) {
console.log('Vulnerabilities found!');
console.log(results);
}
}
checkProject();- Discovers all package.json files in the target directory
- For workspace projects, finds all workspace package.json files
- Queries the npm registry audit API for each package
- Reports vulnerabilities by severity (Critical, High, Moderate, Low)
- Provides detailed information and remediation recommendations
- Critical: Immediate action required
- High: Address as soon as possible
- Moderate: Review and plan to address
- Low: Review at your convenience
0: No vulnerabilities found or scan completed successfully1: Vulnerabilities found or scan error
Add to your CI pipeline to prevent deployment of vulnerable dependencies:
- name: Scan for vulnerabilities
run: npx @onamfc/npm-vuln-scannerThis is an open source project. Contributions are welcome!
MIT