Package Lock CVE Scanner

A Node.js tool that recursively scans for vulnerable packages in package-lock.json and yarn.lock files across a directory tree.

Features

• Recursively finds all package-lock.json and yarn.lock files in a directory
• Checks for specific vulnerable package versions
• Configurable vulnerability database via JSON file
• Shows exact folder locations where vulnerable packages are found
• Optional detailed version reporting

Update 2025-12-05

Scan for packages vulnerable to Shai Hulud 2.0 attack in both package-lock.json and yarn.lock files using the provided configuration:

node scan-vulnerable-packages.js --config sha1-hulud-packages.json /path/to/scan

Installation

Clone this repository and install dependencies:

git clone https://github.com/pmosconi/package-lock-cve-scanner.git
cd package-lock-cve-scanner
npm install

Configuration

The tool uses a JSON configuration file to define which packages and versions to check for vulnerabilities.

Default Configuration

The default configuration file is vulnerable-packages.json:

{
  "eslint-config-prettier": ["8.10.1", "9.1.1", "10.1.6", "10.1.7"],
  "eslint-plugin-prettier": ["4.2.2", "4.2.3"],
  "is": ["3.3.1", "5.5.0"],
  "got-fetch": ["5.1.11", "5.1.12"],
  "synckit": ["0.11.9"],
  "@pkgr/core": ["0.2.8"]
}

Custom Configuration

You can create your own configuration file with any package names and versions:

{
  "package-name": ["1.0.0", "2.0.0"],
  "another-package": ["3.0.0"]
}

Usage

Basic Usage

Scan the current directory using the default configuration:

node scan-vulnerable-packages.js

Scan a specific directory:

node scan-vulnerable-packages.js /path/to/scan

Advanced Usage

Use a custom configuration file:

node scan-vulnerable-packages.js --config /path/to/config.json /path/to/scan

Show all versions found for tracked packages:

node scan-vulnerable-packages.js --show-versions /path/to/scan

Combine options:

node scan-vulnerable-packages.js --config custom.json --show-versions /path/to/scan

Command Line Options

• --config <path> - Path to custom configuration file (default: vulnerable-packages.json)
• --show-versions - Display all versions found for tracked packages with their locations
• <directory> - Directory to scan (default: current directory)

Output

Vulnerability Detection

When vulnerabilities are found:

🚨 Vulnerabilities found in: /path/to/project/package-lock.json
  - eslint-config-prettier@8.10.1 (eslint-config-prettier)
  - eslint-plugin-prettier@4.2.2 (eslint-plugin-prettier)

🚨 Vulnerabilities found in: /path/to/project2/yarn.lock
  - lodash@4.17.20 (lodash)

⚠️  Total vulnerabilities found: 3

Version Reporting

With --show-versions flag:

📦 Versions found for tracked packages:
  eslint-config-prettier:
    8.8.0 in /path/to/project1
    9.0.0 in /path/to/project2
  eslint-plugin-prettier:
    4.0.0 in /path/to/project1
    5.0.0 in /path/to/project3

No Vulnerabilities

When no vulnerabilities are found:

✅ No vulnerable packages found!

Exit Codes

• 0 - No vulnerabilities found
• 1 - Vulnerabilities detected or error occurred

Development

Running Tests

# Run tests once
npm run test:run

# Run tests in watch mode
npm test

# Run tests in watch mode (explicit)
npm run test:watch

Project Structure

├── scan-vulnerable-packages.js    # Main scanner script
├── vulnerable-packages.json       # Default vulnerability database
├── scan-vulnerable-packages.test.js # Test suite
├── package.json                   # Project configuration
└── README.md                      # This file

License

MIT