a Node.js CLI created to simplify the analysis of npm registry packages.

I personally created this project to analyze npm packages by various criteria (popularity etc). Most researchers re-create the same codes over and over again and I thought it might be nice to have a CLI and various methods to simplify our lives.

• Pull packages from the npm registry by divers criteria.
• Offers you various methods to read and extract information from the npm tarball.
• Include js-x-ray by default.
• Functionalities can be extended

• Node.js v14 or higher

This package is available in the Node Package Repository and can be easily installed with npm or yarn.

$ npm i npm-security-fetcher -g

or

$ git clone https://github.com/fraxken/npm-security-fetcher.git
$ cd npm-security-fetcher
$ npm ci
$ npm link

Then the nsf binary will be available in your terminal.

$ nsf --help

The first step is to create a javascript file with three methods:

• init (run before fetching and extracting packages from the npm registry).
• run (called for each downloaded npm packages).
• close (run at the end when there is no more packages to fetch).

This script must use the latest Node.js ESM (it also support top-level-await).

import path from "path";

export async function init() {
    const baseDir = path.join(process.cwd(), "results");

    return { baseDir }; // <-- init and return context object!
}

export async function close(ctx) {
    console.log("close triggered");
}

export async function run(ctx, { name, location, root }) {
    console.log(ctx.baseDir);
    console.log(`handle package name: ${name}, location: ${location}`);
}

There is no restriction on the nature of the context.

After editing your file you can run your script as follows

$ nsf npm myfile.js

The root folder "example" contains real world examples that are used (for js-x-ray etc).

Thanks goes to these wonderful people (emoji key):

Gentilhomme 💻 📖 👀 🛡️ 🐛

Nicolas Hallaert 📖

MIT