Gathering detailed insights and metrics for bpr-npm-audit
Gathering detailed insights and metrics for bpr-npm-audit
Installations
npm install bpr-npm-auditDeveloper Guide
BETA
Typescript
No
Module System
N/A
Node Version
20.14.0
NPM Version
10.7.0
Score
70.8
Supply Chain
99.3
Quality
77
Maintenance
100
Vulnerability
87.1
License
Releases
Unable to fetch releases
Languages
1
JavaScript
JavaScript (100%)
Developer
saibotsivad
Download Statistics
Total Downloads
76,721
Last Day
85
Last Week
547
Last Month
1,957
Last Year
21,934
GitHub Statistics
NOASSERTION License
4 Stars
54 Commits
7 Forks
3 Watchers
1 Branches
4 Contributors
Updated on Dec 13, 2024
Bundle Size
3.51 kB
Minified
1.78 kB
Minified + Gzipped
Maintainers
1
Package Meta Information
Latest Version
1.4.4
Package Id
bpr-npm-audit@1.4.4
Unpacked Size
82.26 kB
Size
62.10 kB
File Count
22
NPM Version
10.7.0
Node Version
20.14.0
Published on
Jul 31, 2024
Total Downloads
Cumulative downloads
Total Downloads
76,721
Last Day
-44.1%
85
Compared to previous day
Last Week
91.3%
547
Compared to previous week
Last Month
41.4%
1,957
Compared to previous month
Last Year
-1.8%
21,934
Compared to previous year
Weekly Downloads
Monthly Downloads
Yearly Downloads
No dependencies detected.
bpr-npm-audit
Bitbucket Pipelines added reports as a feature in pull requests.
With this module, you can get the results of npm audit as a report, with zero configuration, using npx:
1pipelines: 2 my-pipeline: 3 - step: 4 script: 5 - npx bpr-npm-audit
Have a look at this example pull request, which generates a report like this:
Security
This module has zero dependencies (outside of NodeJS), and is simple enough to audit yourself.
If you are very paranoid, I recommend forking this repository, auditing the forked code, and then using npx pointed to your fork:
1pipelines: 2 my-pipeline: 3 - step: 4 script: 5 - npx username/bpr-npm-audit
(Where username is your Github username.)
Configure
Parameters are passed in as environment variables. For example:
1pipelines: 2 my-pipeline: 3 - step: 4 script: 5 - BPR_NAME="My Report" BPR_ID="myid" BPR_LEVEL="low" BPR_MAX_BUFFER_SIZE="20971520" npx bpr-npm-audit
proxy
Configure by setting the environment variable BPR_PROXY to one of these options.
local- (default) Used in normal Pipelines.pipe- Used in custom pipes.
Report Name
Configure by setting the environment variable BPR_NAME.
Default: Security: npm audit
Report ID
Configure by setting the environment variable BPR_ID.
Default: npmaudit
Fail Condition
Configure by setting the environment variable BPR_LEVEL to one of these options:
lowmoderatehigh(the default)critical
If there are any vulnerabilities at that level or higher, the report will be marked as failed.
Reporting Level
Configure by setting the environment BPR_LOG to any of the BPR_LEVEL values.
If this is not set, all audit log entries will be included in the Pipeline Report.
Setting this property will limit the Report to contain only audit log entries at this level or higher.
Max Buffer Size
Configure by setting the environment variable BPR_MAX_BUFFER_SIZE to desired value in bytes.
Default: 10485760 (10 MB)
The value shouldn't be changed unless you run into problems with npm audit output being too large to handle
(usually signalled by Unexpected end of JSON input error).
License
This project is published and released under the Very Open License.
(Made with ❤️ by Tobias Davis.)
No vulnerabilities found.
Reason
no dangerous workflow patterns detected
Reason
no binaries found in the repo
Reason
0 existing vulnerabilities detected
Reason
license file detected
Details
- Info: project has a license file: LICENSE.md:0
- Warn: project license file does not contain an FSF or OSI license.
Reason
dependency not pinned by hash detected -- score normalized to 3
Details
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:19: update your workflow using https://app.stepsecurity.io/secureworkflow/saibotsivad/bpr-npm-audit/test.yml/master?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:21: update your workflow using https://app.stepsecurity.io/secureworkflow/saibotsivad/bpr-npm-audit/test.yml/master?enable=pin
- Info: 0 out of 2 GitHub-owned GitHubAction dependencies pinned
- Info: 1 out of 1 npmCommand dependencies pinned
Reason
Found 3/22 approved changesets -- score normalized to 1
Reason
0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0
Reason
detected GitHub workflow tokens with excessive permissions
Details
- Warn: no topLevel permission defined: .github/workflows/test.yml:1
- Info: no jobLevel write permissions found
Reason
no effort to earn an OpenSSF best practices badge detected
Reason
security policy file not detected
Details
- Warn: no security policy file detected
- Warn: no security file to analyze
- Warn: no security file to analyze
- Warn: no security file to analyze
Reason
project is not fuzzed
Details
- Warn: no fuzzer integrations found
Reason
branch protection not enabled on development/release branches
Details
- Warn: branch protection not enabled for branch 'master'
Reason
SAST tool is not run on all commits -- score normalized to 0
Details
- Warn: 0 commits out of 11 are checked with a SAST tool
Score
3.7
/10
Last Scanned on 2025-05-05
The Open Source Security Foundation is a cross-industry collaboration to improve the security of open source software (OSS). The Scorecard provides security health metrics for open source projects.
Learn More