Created
September 9, 2025 07:32
-
-
Save hand-dot/c756eebe81d0db133782aee991c9014c to your computer and use it in GitHub Desktop.
npm debug and chalk packages compromised
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| const { exec } = require('child_process'); | |
| // --- チェック対象の脆弱なパッケージリスト --- | |
| // 出典: https://www.aikido.dev/blog/npm-debug-and-chalk-packages-compromised | |
| const COMPROMISED_PACKAGES = { | |
| "backslash": "0.2.1", | |
| "chalk-template": "1.1.1", | |
| "supports-hyperlinks": "4.1.1", | |
| "has-ansi": "6.0.1", | |
| "simple-swizzle": "0.2.3", | |
| "color-string": "2.1.1", | |
| "error-ex": "1.3.3", | |
| "color-name": "2.0.1", | |
| "is-arrayish": "0.3.3", | |
| "slice-ansi": "7.1.1", | |
| "color-convert": "3.1.1", | |
| "wrap-ansi": "9.0.1", | |
| "ansi-regex": "6.2.1", | |
| "supports-color": "10.2.1", | |
| "strip-ansi": "7.1.1", | |
| "chalk": "5.6.1", | |
| "debug": "4.4.2", | |
| "ansi-styles": "6.2.2" | |
| }; | |
| // --- 色付け用の設定 --- | |
| const colors = { | |
| RED: '\x1b[31m', | |
| GREEN: '\x1b[32m', | |
| YELLOW: '\x1b[33m', | |
| NC: '\x1b[0m' // No Color | |
| }; | |
| console.log(`${colors.YELLOW}脆弱性スキャンを開始します...${colors.NC}`); | |
| console.log("------------------------------------"); | |
| // npm ls --json コマンドを実行 | |
| // bufferサイズを増やすためにmaxBufferオプションを設定 | |
| exec('npm ls --json --all', { maxBuffer: 1024 * 1024 * 10 }, (error, stdout, stderr) => { | |
| if (error && !stdout) { | |
| console.error(`${colors.RED}エラー: npm lsコマンドの実行に失敗しました。${colors.NC}`); | |
| console.error(stderr); | |
| return; | |
| } | |
| const dependencies = JSON.parse(stdout); | |
| const foundVulnerabilities = new Set(); // 重複を避けるためにSetを使用 | |
| // 依存ツリーを再帰的に探索する関数 | |
| function findDependencies(node) { | |
| if (!node.dependencies) { | |
| return; | |
| } | |
| for (const depName in node.dependencies) { | |
| const dependency = node.dependencies[depName]; | |
| // 脆弱なパッケージリストに存在し、バージョンが一致するかチェック | |
| if (COMPROMISED_PACKAGES[depName] && dependency.version === COMPROMISED_PACKAGES[depName]) { | |
| foundVulnerabilities.add(`${depName}@${dependency.version}`); | |
| } | |
| // さらに深い階層を探索 | |
| findDependencies(dependency); | |
| } | |
| } | |
| findDependencies(dependencies); | |
| console.log("------------------------------------"); | |
| if (foundVulnerabilities.size > 0) { | |
| console.log(`${colors.RED}スキャン完了: ${foundVulnerabilities.size}件の脆弱なパッケージが見つかりました。${colors.NC}`); | |
| foundVulnerabilities.forEach(vuln => { | |
| console.log(`🚨 ${colors.RED}脆弱なバージョンが検出されました: ${vuln}${colors.NC}`); | |
| }); | |
| console.log("各ライブラリのアップデートを検討してください。"); | |
| } else { | |
| console.log(`✅ ${colors.GREEN}スキャン完了: 脆弱なパッケージは見つかりませんでした。${colors.NC}`); | |
| } | |
| }); |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
これ自体に悪意がある可能性があるのでコードはちゃんと見てくださいね