Skip to content

@vltpkg/security-archive

Classes

SecurityArchive

Defined in: src/security-archive/src/index.ts:100

A database of security information for given packages in a graph.

Using the SecurityArchive.refresh() method will update the local cache with information from the socket.dev APIs or load from the local storage if available. Information about package security is then available using the SecurityArchive.get() method.

Extends

Implements

Constructors

new SecurityArchive()
new SecurityArchive(options): SecurityArchive

Defined in: src/security-archive/src/index.ts:139

Parameters
options

SecurityArchiveOptions = {}

Returns

SecurityArchive

Overrides
LRUCache<DepID, PackageReportData>.constructor

Properties

ok
ok: boolean = false

Defined in: src/security-archive/src/index.ts:112

True if the refresh process was successful and report data is available for all public registry packages in the graph.

Implementation of

SecurityArchiveLike.ok

Accessors

defaultMax
Get Signature
get static defaultMax(): number

Defined in: src/security-archive/src/index.ts:128

By default, limits to 100K entries in the in-memory archive.

Returns

number

defaultTtl
Get Signature
get static defaultTtl(): number

Defined in: src/security-archive/src/index.ts:135

By default, entries are cached for 3 hours.

Returns

number

Methods

refresh()
refresh(__namedParameters): Promise<void>

Defined in: src/security-archive/src/index.ts:341

Starts the security archive by providing a GraphLike instance, its registry-based nodes are going to be used as valid potential entries.

Any entry that is missing from the persisted cached values are going to be requested in a batch-request to the remote socket.dev API.

Parameters
__namedParameters

SecurityArchiveRefreshOptions

Returns

Promise<void>

toJSON()
toJSON(): Record<DepID, PackageReportData>

Defined in: src/security-archive/src/index.ts:378

Outputs the current in-memory cache as a JSON object.

Returns

Record<DepID, PackageReportData>

start()
static start(options): Promise<SecurityArchive>

Defined in: src/security-archive/src/index.ts:117

Creates a new security archive instance and starts the refresh process.

Parameters
options

OptionsBase<DepID, PackageReportData, unknown> & object & SecurityArchiveRefreshOptions

Returns

Promise<SecurityArchive>

Interfaces

SecurityArchiveLike

Defined in: src/security-archive/src/types.ts:24

An interface for interacting with a security archive.

Properties

clear()
clear: () => void;

Defined in: src/security-archive/src/types.ts:29

Returns

void

delete()
delete: (depId) => void;

Defined in: src/security-archive/src/types.ts:27

Parameters
depId

DepID

Returns

void

get()
get: depId => undefined | PackageReportData

Defined in: src/security-archive/src/types.ts:25

Parameters
depId

DepID

Returns

undefined | PackageReportData

has()
has: depId => boolean

Defined in: src/security-archive/src/types.ts:28

Parameters
depId

DepID

Returns

boolean

ok?
optional ok: boolean;

Defined in: src/security-archive/src/types.ts:30

set()
set: (depId, data) => void;

Defined in: src/security-archive/src/types.ts:26

Parameters
depId

DepID

data

PackageReportData

Returns

void

Type Aliases

DBReadEntry

type DBReadEntry = object

Defined in: src/security-archive/src/index.ts:34

Type declaration

depID
depID: string
report
report: string
start
start: number
ttl
ttl: number

DBWriteEntry

type DBWriteEntry = [string, string, number, number]

Defined in: src/security-archive/src/index.ts:41


JSONItemResponse

type JSONItemResponse = object

Defined in: src/security-archive/src/index.ts:28

Type declaration

name
name: string
namespace?
optional namespace: "@{string}";
version
version: string

PackageAlert

type PackageAlert = object

Defined in: src/security-archive/src/types.ts:65

A known alert for a given package.

Type declaration

category
category: string
key
key: string
props?
optional props: PackageAlertProps;
severity
severity: 'low' | 'medium' | 'high' | 'critical'
type
type: string

PackageAlertProps

type PackageAlertProps = object

Defined in: src/security-archive/src/types.ts:56

Package alert extra information.

Type declaration

cveId?
optional cveId: `CVE-${string}`;
cwes?
optional cwes: object[];
lastPublish
lastPublish: string

PackageReportData

type PackageReportData = object

Defined in: src/security-archive/src/types.ts:106

The report data for a given package.

Type declaration

alerts
alerts: PackageAlert[];
author
author: string[];
id
id: string
license
license: string
name
name: string
namespace?
optional namespace: `@${string}`;
score
score: PackageScore
size
size: number
type
type: 'npm'
version
version: string

PackageScore

type PackageScore = object

Defined in: src/security-archive/src/types.ts:76

The scores for a given package

Type declaration

license
license: number

Score factors relating to package licensing (0-1)

maintenance
maintenance: number

Score factors relating to package maintenance (0-1)

overall
overall: number

The average of all score factors. (0-1)

quality
quality: number

Score factors relating to code quality (0-1)

supplyChain
supplyChain: number

Score factors relating to supply chain security (0-1)

vulnerability
vulnerability: number

Score factors relating to package vulnerabilities (0-1)


SecurityArchiveOptions

type SecurityArchiveOptions = LRUCache.OptionsBase<
DepID,
PackageReportData,
unknown
> &
object

Defined in: src/security-archive/src/index.ts:43

Type declaration

fetchMethod?
optional fetchMethod: undefined;

Security archive does not supports a fetch-on-demand model.

path?
optional path: string;

An optional value for the path in which to store the sqlite db.

retries?
optional retries: number;

Number of retries attempts to reach the remote security API.


SecurityArchiveRefreshOptions

type SecurityArchiveRefreshOptions = object

Defined in: src/security-archive/src/types.ts:9

Parameter options for initializing a security archive.

Type declaration

graph
graph: GraphLike

A @link{GraphLike} instance to find what packages the security archive should have.

specOptions
specOptions: SpecOptions

A @link{SpecOptions} instance to use for resolving dependencies.

Variables

targetSecurityRegisty

const targetSecurityRegisty: 'https://registry.npmjs.org/' =
'https://registry.npmjs.org/'

Defined in: src/security-archive/src/index.ts:26


version

version: string

Defined in: src/security-archive/src/index.ts:85

Functions

asPackageReportData()

function asPackageReportData(o): PackageReportData

Defined in: src/security-archive/src/types.ts:132

Parameters

o

unknown

Returns

PackageReportData


asSecurityArchiveLike()

function asSecurityArchiveLike(o): SecurityArchiveLike

Defined in: src/security-archive/src/types.ts:44

Parameters

o

unknown

Returns

SecurityArchiveLike


isPackageReportData()

function isPackageReportData(o): o is PackageReportData

Defined in: src/security-archive/src/types.ts:119

Parameters

o

unknown

Returns

o is PackageReportData


isSecurityArchiveLike()

function isSecurityArchiveLike(o): o is SecurityArchiveLike

Defined in: src/security-archive/src/types.ts:33

Parameters

o

unknown

Returns

o is SecurityArchiveLike