A tool for auditing JSR, NPM, and
ESM packages with Deno utilizing the
GitHub Advisory Database and
npm audit
.
The packages are extracted from a given deno.lock
(v4) file.
For JSR packages, audit
tries to infer the corresponding GitHub repository
(api.jsr.io) from where it can gather published vulnerabilities
(api.github.io).
NPM and ESM packages are injected into a generated package.json
file on which
npm audit
is executed.
deno run https://jsr.io/@nashaddams/audit/<version>/mod.ts --help # Print options
deno run \
-RWE -N=api.jsr.io,api.github.com --allow-run=npm \
https://jsr.io/@nashaddams/audit/<version>/mod.ts
Running this command will print the audit results to the console, create a
report in the output directory, and return an exit code indicating if
vulnerabilities have been found (1
) or not (0
).
deno run \
-RE -N=0.0.0.0 \
https://jsr.io/@nashaddams/audit/<version>/mod.ts \
report