Skip to content

InteropIO/javascript-check-dependencies-action

BranchesTags
 
 

Repository files navigation

JavaScript Dependency Check

This action checks that no compromised packages are referenced in any package-lock.json files in your repository, using a list of bad versions that's fetched from a URL of your choice.

Configuration options

  • rules_url (required): URL pointing to a JSON file with the banned package versions:
[
  ["@acme/bad", "1.0.*", "^1.1.2"],
  ["evil-package", "*"]
]

Usage

name: Check package-lock for compromised dependencies

on:
  push:
    branches: [ main, master ]
  pull_request:

jobs:
  check-lock:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Run package-lock check
        uses: staafl/javascript-check-dependencies-action@v0.0.4
        with:
          rules_url: https://raw.githubusercontent.com/staafl/javascript-check-dependencies-action/refs/heads/master/bad-deps.json

About

Node GitHub action that fails the build if certain bad dependency versions are present in any package-lock.json

Resources

Readme

License

MIT license
Activity
Custom properties

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

4 tags

Packages

No packages published

Languages

  • JavaScript 100.0%