Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
aj_g 3 days ago

Anyone have a good solution to scan all code in our Github org for uses of the affected packages? Many of the methods we've tried have dead ended. Inability to reliably search branches is quite annoying here.

cube00 3 days ago | parent | next [-]

If you have tens of thousands of repos with branches to match you'll be scanning all year.

Proxy NPM with something like Artifactory which stops the bad package getting back in or ending up in any new builds.

Follow it up with endpoint protection to weed the package out of the local checked out copies and .npm on the individual dev boxes.

3 days ago | parent | prev | next [-]
[deleted]
ozim 3 days ago | parent | prev | next [-]

Have you tried Dependency Track from OWASP? Generate SBOM from each repo/projects and post it with API to DT and you have full overview. You have to hook it up so it is done automatically because of course stuff will always move.

ankit_mishra 2 days ago | parent | prev | next [-]

npm audit - will tell you if there's any packages with known vulnerabilities. https://docs.npmjs.com/cli/v11/commands/npm-audit I'd imagine it's considerably slower than search, but hopefully more reliable.

TZubiri 3 days ago | parent | prev [-]

Any junior engineer should be able to solve this with grep in an afternoon.

aj_g 3 days ago | parent [-]

For several thousand repos? Ensuring none of the 451 package versions have been installed on any branch in any repo? I don't think it's so simple.

TZubiri 2 days ago | parent | next [-]

aikido published a list of the affected vulns.

You can probably get a list of the repos with a github API or something.

Git clone with org admin user credentials (can be read only) so you have access to all the repos.

run grep on all package.json files, search for all of the affected repos.

No need to do any code regarding versions, just filter it down and manually process versions if needed. If you have any of these packages, no matter the versions, you should already be making efforts to migrating, kill the baby with the bathwater, cut off the arm before the gangrene spreads. At any rate you can check versions manually after you have filtered it down to something reasonable, part of automating is knowing when to stop.

3 days ago | parent | prev [-]
[deleted]