GitHub Action
is-my-node-vulnerable
This package helps ensure the security of your Node.js installation by checking for known vulnerabilities.
It compares the version of Node.js you have installed (process.version
) to the Node.js Security Database
and alerts you if a vulnerability is found.
npx is-my-node-vulnerable
It's strongly recommended to include this as a step in the app CI.
$ node -v
v20.3.0
$ npx is-my-node-vulnerable
██████ █████ ███ ██ ██████ ███████ ██████
██ ██ ██ ██ ████ ██ ██ ██ ██ ██
██ ██ ███████ ██ ██ ██ ██ ███ █████ ██████
██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██
██████ ██ ██ ██ ████ ██████ ███████ ██ ██
The current Node.js version (v20.3.0) is vulnerable to the following CVEs:
CVE-2023-30581: The use of proto in process.mainModule.proto.require() can bypass the policy mechanism and require modules outside of the policy.json definition
Patched versions: ^16.20.1 || ^18.16.1 || ^20.3.1
==================================================================================================================================================================================
$ node -v
v20.11.1
$ npx is-my-node-vulnerable
█████ ██ ██ ██████ ██████ ██████ ██████ ██
██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██
███████ ██ ██ ██ ███ ██ ██ ██ ██ ██ ██ ██
██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██
██ ██ ███████ ███████ ██████ ██████ ██████ ██████ ██
$ node -v
v15.14.0
$ npx is-my-node-vulnerable
██████ █████ ███ ██ ██████ ███████ ██████
██ ██ ██ ██ ████ ██ ██ ██ ██ ██
██ ██ ███████ ██ ██ ██ ██ ███ █████ ██████
██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██
██████ ██ ██ ██ ████ ██████ ███████ ██ ██
v15.14.0 is end-of-life. There are high chances of being vulnerable. Please upgrade it.
End-of-Life versions don't keep track of recent security releases, therefore, it's considered vulnerable by default.
This package also exports a function isNodeVulnerable
to perform the check in runtime
const { isNodeVulnerable } = require('is-my-node-vulnerable')
isNodeVulnerable('19.0.0') // true
Optionally you can define the platform with the argument platform
to limit the scope. The available platforms are the same values available in for os.platform()
.
const { isNodeVulnerable } = require('is-my-node-vulnerable')
isNodeVulnerable('19.0.0', 'linux') // true
This package also provides a GitHub Action, just include the node-version
in the yml as follows in order to check a specific version:
name: "Node.js Vulnerabilities"
on:
schedule:
- cron: "0 0 * * *"
jobs:
is-my-node-vulnerable:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Check Node.js
uses: RafaelGSS/is-my-node-vulnerable@v1
with:
node-version: "18.14.1"
Optionally you can define the platform with the argument platform
to limit the scope. The available platforms are the same values available in for os.platform()
.
- uses: actions/checkout@v3
- name: Check Node.js
uses: RafaelGSS/is-my-node-vulnerable@v1
with:
node-version: "18.14.1"
platform: "linux"