Anyone know of a published tool/script to check for the existence of any of the vulnerable npm packages? I don't see anything like that in the stepsecurity page.

▲

retlehs 5 days ago | parent | next [-]

This won’t protect against everything, but it still seems like a good idea to implement:

https://github.com/danielroe/provenance-action

▲

indigodaddy 5 days ago | parent [-]

Yep I did see that, but I'm not planning on pushing anything, just want a tool to scan for any of the offending packages. Could make my own but feel like somebody must have already made something (and probably better than I can)

▲

dflock 5 days ago | parent [-]

- [supply-chain-security · GitHub Topics · GitHub](https://github.com/topics/supply-chain-security)

- [GitHub - safedep/vet: Protect against malicious open source packages](https://github.com/safedep/vet)

- [GitHub - AikidoSec/safe-chain](https://github.com/AikidoSec/safe-chain)

- npm audit

	▲	indigodaddy 5 days ago \| parent [-]
		vet and safe-chain look good thanks! I'm just dabbling with Node only (no experience really), so haven't used npm audit but will see how that works too. Appreciate the links.

▲

sibeliuss 5 days ago | parent | prev [-]

`npm audit` for known issues