Skip to content

realArcherL/opensecure

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

33 Commits
.github/workflows
.github/workflows
 
 
src
src
 
 
test
test
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
index.html
index.html
 
 
package-lock.json
package-lock.json
 
 
package.json
package.json
 
 
tsconfig.json
tsconfig.json
 
 

Repository files navigation

Opensecure

Visualize the blast radius of npm supply chain attacks across the top 10,000 packages.

What it does

Most npm packages don't pin exact versions. They use ranges like ^1.13.5, so a fresh npm install quietly pulls the latest match, even if it's compromised.

This tool seeds the top 10,000 npm packages (by downloads and dependents), fetches their dependency graphs from deps.dev, and builds a force graph showing what happens if any one of them gets taken over.

Pick a package and you'll see:

  • how many other top-10,000 packages it would reach
  • how many of those would auto-pull a bad version (^, ~, >=)
  • how many are pinned or need a manual update
  • how deep the chain goes

Commands

npm run build       # compile TS
npm run seed        # top 10,000 packages -> data/top.json
npm run fetch       # fetch from deps.dev -> data/raw/*.json
npm run graph       # build graph -> data/graph.json
npm run viz         # serve at localhost:3000

Run in order: build > seed > fetch > graph > viz

References

Analytics

This site uses Umami for privacy-friendly, cookieless analytics. No personal data is collected.

License

MIT

About

My attempt to map blast raidus when a popular NPM package gets compromised

realarcherl.github.io/opensecure/

Resources

Readme

License

MIT license
Activity

Stars

1 star

Watchers

0 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages