@vltpkg/security-archive

Classes

SecurityArchive

Defined in: src/security-archive/src/index.ts:107

A database of security information for given packages from a list of nodes.

Using the SecurityArchive.refresh() method will update the local cache with information from the socket.dev APIs or load from the local storage if available. Information about package security is then available using the SecurityArchive.get() method.

Extends

• LRUCache<DepID, PackageReportData>

Implements

• SecurityArchiveLike

Constructors

new SecurityArchive()

new SecurityArchive(options): SecurityArchive

Defined in: src/security-archive/src/index.ts:149

Parameters

options

SecurityArchiveOptions = {}

Returns

SecurityArchive

Overrides

LRUCache<DepID, PackageReportData>.constructor

Properties

ok

ok: boolean = false

Defined in: src/security-archive/src/index.ts:122

True if the refresh process was successful and report data is available for all public registry packages from the initial list of nodes.

Implementation of

SecurityArchiveLike.ok

Accessors

defaultMax

Get Signature

get static defaultMax(): number

Defined in: src/security-archive/src/index.ts:138

By default, limits to 100K entries in the in-memory archive.

Returns

number

defaultTtl

Get Signature

get static defaultTtl(): number

Defined in: src/security-archive/src/index.ts:145

By default, entries are cached for 3 hours.

Returns

number

Methods

refresh()

refresh(__namedParameters): Promise<void>

Defined in: src/security-archive/src/index.ts:425

Starts the security archive by providing an array of NodeLike instances, its registry-based nodes are going to be used as valid potential entries.

Any entry that is missing from the persisted cached values are going to be requested in a batch-request to the remote socket.dev API.

Parameters

__namedParameters

SecurityArchiveRefreshOptions

Returns

Promise<void>

toJSON()

toJSON(): Record<DepID, PackageReportData>

Defined in: src/security-archive/src/index.ts:488

Outputs the current in-memory cache as a JSON object.

Returns

Record<DepID, PackageReportData>

start()

static start(options): Promise<SecurityArchive>

Defined in: src/security-archive/src/index.ts:127

Creates a new security archive instance and starts the refresh process.

Parameters

options

OptionsBase<DepID, PackageReportData, unknown> & object & SecurityArchiveRefreshOptions

Returns

Promise<SecurityArchive>

Interfaces

SecurityArchiveLike

Defined in: src/security-archive/src/types.ts:19

An interface for interacting with a security archive.

Properties

clear()

clear: () => void;

Defined in: src/security-archive/src/types.ts:24

Returns

void

delete()

delete: (depId) => void;

Defined in: src/security-archive/src/types.ts:22

Parameters

depId

DepID

Returns

void

get()

get: depId => undefined | PackageReportData

Defined in: src/security-archive/src/types.ts:20

Parameters

depId

DepID

Returns

undefined | PackageReportData

has()

has: depId => boolean

Defined in: src/security-archive/src/types.ts:23

Parameters

depId

DepID

Returns

boolean

ok?

optional ok: boolean;

Defined in: src/security-archive/src/types.ts:25

set()

set: (depId, data) => void;

Defined in: src/security-archive/src/types.ts:21

Parameters

depId

DepID

data

PackageReportData

Returns

void

Type Aliases

DBReadEntry

type DBReadEntry = object

Defined in: src/security-archive/src/index.ts:41

Type declaration

depID

depID: string

now

now: number

report

report: string

start

start: number

ttl

ttl: number

---

DBWriteEntry

type DBWriteEntry = [string, string, number, number]

Defined in: src/security-archive/src/index.ts:49

---

JSONItemResponse

type JSONItemResponse = object

Defined in: src/security-archive/src/index.ts:27

Type declaration

name

name: string

namespace?

optional namespace: "@{string}";

score

score: object

score.license

score.license: number;

score.maintenance

score.maintenance: number;

score.overall

score.overall: number;

score.quality

score.quality: number;

score.supplyChain

score.supplyChain: number;

score.vulnerability

score.vulnerability: number;

version

version: string

---

PackageAlert

type PackageAlert = object

Defined in: src/security-archive/src/types.ts:60

A known alert for a given package.

Type declaration

category

category: string

key

key: string

props?

optional props: PackageAlertProps;

severity

severity: 'low' | 'medium' | 'high' | 'critical'

type

type: string

---

PackageAlertProps

type PackageAlertProps = object

Defined in: src/security-archive/src/types.ts:51

Package alert extra information.

Type declaration

cveId?

optional cveId: `CVE-${string}`;

cwes?

optional cwes: object[];

lastPublish

lastPublish: string

---

PackageReportData

type PackageReportData = object

Defined in: src/security-archive/src/types.ts:101

The report data for a given package.

Type declaration

alerts

alerts: PackageAlert[];

author

author: string[];

id

id: string

license

license: string

name

name: string

namespace?

optional namespace: `@${string}`;

score

score: PackageScore

size

size: number

type

type: 'npm'

version

version: string

---

PackageScore

type PackageScore = object

Defined in: src/security-archive/src/types.ts:71

The scores for a given package

Type declaration

license

license: number

Score factors relating to package licensing (0-1)

maintenance

maintenance: number

Score factors relating to package maintenance (0-1)

overall

overall: number

The average of all score factors. (0-1)

quality

quality: number

Score factors relating to code quality (0-1)

supplyChain

supplyChain: number

Score factors relating to supply chain security (0-1)

vulnerability

vulnerability: number

Score factors relating to package vulnerabilities (0-1)

---

SecurityArchiveOptions

type SecurityArchiveOptions = LRUCache.OptionsBase<
  DepID,
  PackageReportData,
  unknown
> &
  object

Defined in: src/security-archive/src/index.ts:51

Type declaration

fetchMethod?

optional fetchMethod: undefined;

Security archive does not supports a fetch-on-demand model.

path?

optional path: string;

An optional value for the path in which to store the sqlite db.

retries?

optional retries: number;

Number of retries attempts to reach the remote security API.

---

SecurityArchiveRefreshOptions

type SecurityArchiveRefreshOptions = object

Defined in: src/security-archive/src/types.ts:8

Parameter options for initializing a security archive.

Type declaration

nodes

nodes: NodeLike[];

A @link{GraphLike} instance to find what packages the security archive should have.

Variables

targetSecurityRegisty

const targetSecurityRegisty: 'https://registry.npmjs.org/' =
  'https://registry.npmjs.org/'

Defined in: src/security-archive/src/index.ts:25

---

version

version: string

Defined in: src/security-archive/src/index.ts:92

Functions

asPackageReportData()

function asPackageReportData(o): PackageReportData

Defined in: src/security-archive/src/types.ts:127

Parameters

o

unknown

Returns

PackageReportData

---

asSecurityArchiveLike()

function asSecurityArchiveLike(o): SecurityArchiveLike

Defined in: src/security-archive/src/types.ts:39

Parameters

o

unknown

Returns

SecurityArchiveLike

---

isPackageReportData()

function isPackageReportData(o): o is PackageReportData

Defined in: src/security-archive/src/types.ts:114

Parameters

o

unknown

Returns

o is PackageReportData

---

isSecurityArchiveLike()

function isSecurityArchiveLike(o): o is SecurityArchiveLike

Defined in: src/security-archive/src/types.ts:28

Parameters

o

unknown

Returns

o is SecurityArchiveLike