Creates a tarball of your app dependencies checked with node security platform
APACHE-2.0 License
Never run npm install in production again!
Creates a tarball of your app dependencies checked with npm audit. Just unpack it in production and you're ready to go.
npm install
in production will always deliver what you neednpm install
is a defacto remote code execution vulnerabilitynpm rebuild
you still run postinstall scripts - effectively bash commands with your user credentials and access to sudo. You can turn them off, but then some binaries will not build correctly.npm install
takes more time than scp | untar
npx -p secure-dependencies secure-dependencies
{appname}-{nodeVersion}-{appVersion}.tgz
is produced with all production dependencies unless nsp check
complains.
Become left-pad proof!
This library could support versions 0.x but it doesn't. Consider this another reason to finally upgrade.
While it might work, the version of node in filename will be 0
. Trivial to fix, but I believe I should not.
secure-dependencies will follow npm-shrinkwrap.json but if you want to use it for production and not locally, you can rename it to npm-shrinkwrap-production.json and it will work for installing the module for the bundle.
In summary:
npm install --production
npm prune
npm dedupe
npm audit (via npm-audit-resolver)
tar
But don't trust me with your security, read the code!
cd exampleapp
npm install
npm start
exampleapp-node6-1.0.0.tgz is created
If you're scripting your deployment with configuration managers (or bash) it's often annoying to deal with parsing package.json
secure-dependencies exposes a tiny script that generates the filename. You can use it to figure out what the bundle name is based on package.json in current directory
npx -p secure-dependencies get-bundle-name
or
npm install -g secure-dependencies
get-bundle-name
add paranoid mode add scp as artifact repository