├── requirements.txt ├── package.json ├── github_api_request_handler.py ├── LICENSE ├── README.md ├── .gitignore └── scan_dependencies.py /requirements.txt: -------------------------------------------------------------------------------- 1 | Requests==2.31.0 2 | -------------------------------------------------------------------------------- /package.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "example", 3 | "version": "0.1.1", 4 | "description": "An example for the dependency checker", 5 | "main": "index.js", 6 | "dependencies": { 7 | "@babel/preset-env":"1.1.1", 8 | "dtslint":"1.1.1", 9 | "coveralls":"1.1.1", 10 | "react-google-maps":"1.1.1", 11 | "mamacro":"1.1.1" 12 | }, 13 | "keywords": [ 14 | "node" 15 | ], 16 | "engines": { 17 | "node": "4.0.0" 18 | }, 19 | "author": "Aqua Nautilus", 20 | "license": "MIT" 21 | } 22 | -------------------------------------------------------------------------------- /github_api_request_handler.py: -------------------------------------------------------------------------------- 1 | import requests 2 | import time 3 | 4 | def get(url, token): 5 | head={'Authorization':f'token {token}'} 6 | response = requests.get(url, headers=head) 7 | 8 | # check if we reached our rate limit 9 | if 'x-ratelimit-remaining' in response.headers and int(response.headers['x-ratelimit-remaining'])==0: 10 | _sleep_until_reset(int(response.headers['x-ratelimit-reset'])) 11 | return get(url, token) 12 | 13 | return response 14 | 15 | 16 | def _sleep_until_reset(reset_time): 17 | gh_api_reset_time = int(reset_time - time.time()) + 30 18 | print('github rate limit reached, sleeping ' + str(gh_api_reset_time) + ' seconds') 19 | time.sleep(gh_api_reset_time) 20 | 21 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2023 Ilaygoldman 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Dependency Deprecation Checker 2 | 3 | ## Description 4 | 5 | This program is a Dependency Deprecation Checker that helps to identify deprecated dependencies in your Node.js project by analyzing the `package.json` file. It checks both direct and indirect dependencies against several criteria: 6 | * if they are marked as deprecated on npm 7 | * if their repository on GitHub is archived 8 | * if the GitHub repository provided is not accessible (returns 404) 9 | * if they do not have repository information. 10 | 11 | The criteria for a deprecated package can be modified by the users. 12 | 13 | This tool is a Proof of Concept (PoC) and does not offer a comprehensive check. 14 | 15 | ## What lead to the creation of this tool 16 | 17 | We found that 8.2% percent of the most downloaded npm packages are officially deprecated, but due to inconsistent practices in handling package dependencies, the real number is much larger, closer to 21.2%. 18 | 19 | Moreover, some package maintainers, when confronted with security flaws, deprecate their packages instead of reporting them, getting a CVE assigned or remediating the vulnerabilities. These gaps can leave developers unaware that they are using unmaintained, vulnerable packages, and create opportunities for attackers to take over unmaintained code that continues to be used. 20 | 21 | ![funnel (2)](https://github.com/Aqua-Nautilus/Dependency-Deprecated-Checker/assets/29836366/129ae729-6e53-40b6-b5d2-bca471617aec) 22 | 23 | More information can be found on our [blog](https://blog.aquasec.com/deceptive-deprecation-the-truth-about-npm-deprecated-packages). 24 | 25 | ## Installation 26 | 27 | Before you begin, ensure you have Python installed on your system. Then, clone the repository and install the dependencies: 28 | 29 | ```bash 30 | git clone https://github.com/Aqua-Nautilus/Dependency-Deprecated-Checker.git 31 | cd Dependency-Deprecated-Checker 32 | pip install -r requirements.txt 33 | ``` 34 | 35 | ## Usage 36 | 37 | To use the Dependency Deprecation Checker, you will need a GitHub token (without permissions). 38 | 39 | ```bash 40 | python scan_dependencies.py --github_token YOUR_GITHUB_TOKEN [--exclude-archived] [--exclude-repo] [--exclude-inaccessible] [package_json_file] 41 | ``` 42 | 43 | ### Command-line Arguments 44 | 45 | - `package_json_file`: Path to `package.json` file. Defaults to 'package.json' in the current directory. 46 | - `--github-token`: GitHub token for API access. This is mandatory unless `--exclude-archived` and `--exclude-inaccessible` are used. 47 | - `--exclude-archived`: Exclude alerting on packages linked to archived repositories in GitHub. 48 | - `--exclude-repo`: Exclude alerting on packages without an associated repository. 49 | - `--exclude-inaccessible`: Exclude alerting on packages with a GitHub repository that is not accessible (404). 50 | 51 | 52 | An example of the results on the sample package.json: 53 | 54 | 55 | ![final_example](https://github.com/Ilaygoldman/dependency_deprecated/assets/29836366/1e81e68d-7378-459e-aa40-89bc84300dd7) 56 | 57 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | # Byte-compiled / optimized / DLL files 2 | __pycache__/ 3 | *.py[cod] 4 | *$py.class 5 | 6 | # C extensions 7 | *.so 8 | 9 | # Distribution / packaging 10 | .Python 11 | build/ 12 | develop-eggs/ 13 | dist/ 14 | downloads/ 15 | eggs/ 16 | .eggs/ 17 | lib/ 18 | lib64/ 19 | parts/ 20 | sdist/ 21 | var/ 22 | wheels/ 23 | share/python-wheels/ 24 | *.egg-info/ 25 | .installed.cfg 26 | *.egg 27 | MANIFEST 28 | 29 | # PyInstaller 30 | # Usually these files are written by a python script from a template 31 | # before PyInstaller builds the exe, so as to inject date/other infos into it. 32 | *.manifest 33 | *.spec 34 | 35 | # Installer logs 36 | pip-log.txt 37 | pip-delete-this-directory.txt 38 | 39 | # Unit test / coverage reports 40 | htmlcov/ 41 | .tox/ 42 | .nox/ 43 | .coverage 44 | .coverage.* 45 | .cache 46 | nosetests.xml 47 | coverage.xml 48 | *.cover 49 | *.py,cover 50 | .hypothesis/ 51 | .pytest_cache/ 52 | cover/ 53 | 54 | # Translations 55 | *.mo 56 | *.pot 57 | 58 | # Django stuff: 59 | *.log 60 | local_settings.py 61 | db.sqlite3 62 | db.sqlite3-journal 63 | 64 | # Flask stuff: 65 | instance/ 66 | .webassets-cache 67 | 68 | # Scrapy stuff: 69 | .scrapy 70 | 71 | # Sphinx documentation 72 | docs/_build/ 73 | 74 | # PyBuilder 75 | .pybuilder/ 76 | target/ 77 | 78 | # Jupyter Notebook 79 | .ipynb_checkpoints 80 | 81 | # IPython 82 | profile_default/ 83 | ipython_config.py 84 | 85 | # pyenv 86 | # For a library or package, you might want to ignore these files since the code is 87 | # intended to run in multiple environments; otherwise, check them in: 88 | # .python-version 89 | 90 | # pipenv 91 | # According to pypa/pipenv#598, it is recommended to include Pipfile.lock in version control. 92 | # However, in case of collaboration, if having platform-specific dependencies or dependencies 93 | # having no cross-platform support, pipenv may install dependencies that don't work, or not 94 | # install all needed dependencies. 95 | #Pipfile.lock 96 | 97 | # poetry 98 | # Similar to Pipfile.lock, it is generally recommended to include poetry.lock in version control. 99 | # This is especially recommended for binary packages to ensure reproducibility, and is more 100 | # commonly ignored for libraries. 101 | # https://python-poetry.org/docs/basic-usage/#commit-your-poetrylock-file-to-version-control 102 | #poetry.lock 103 | 104 | # pdm 105 | # Similar to Pipfile.lock, it is generally recommended to include pdm.lock in version control. 106 | #pdm.lock 107 | # pdm stores project-wide configurations in .pdm.toml, but it is recommended to not include it 108 | # in version control. 109 | # https://pdm.fming.dev/#use-with-ide 110 | .pdm.toml 111 | 112 | # PEP 582; used by e.g. github.com/David-OConnor/pyflow and github.com/pdm-project/pdm 113 | __pypackages__/ 114 | 115 | # Celery stuff 116 | celerybeat-schedule 117 | celerybeat.pid 118 | 119 | # SageMath parsed files 120 | *.sage.py 121 | 122 | # Environments 123 | .env 124 | .venv 125 | env/ 126 | venv/ 127 | ENV/ 128 | env.bak/ 129 | venv.bak/ 130 | 131 | # Spyder project settings 132 | .spyderproject 133 | .spyproject 134 | 135 | # Rope project settings 136 | .ropeproject 137 | 138 | # mkdocs documentation 139 | /site 140 | 141 | # mypy 142 | .mypy_cache/ 143 | .dmypy.json 144 | dmypy.json 145 | 146 | # Pyre type checker 147 | .pyre/ 148 | 149 | # pytype static type analyzer 150 | .pytype/ 151 | 152 | # Cython debug symbols 153 | cython_debug/ 154 | 155 | # PyCharm 156 | # JetBrains specific template is maintained in a separate JetBrains.gitignore that can 157 | # be found at https://github.com/github/gitignore/blob/main/Global/JetBrains.gitignore 158 | # and can be added to the global gitignore or merged into this file. For a more nuclear 159 | # option (not recommended) you can uncomment the following to ignore the entire idea folder. 160 | #.idea/ 161 | 162 | package.json -------------------------------------------------------------------------------- /scan_dependencies.py: -------------------------------------------------------------------------------- 1 | import argparse 2 | import json 3 | import traceback 4 | import requests 5 | import github_api_request_handler as gh 6 | import concurrent.futures 7 | 8 | dict_of_deprecated = {} 9 | 10 | def parse_package_json_file(config): 11 | file_path =config.package_json_file 12 | 13 | with open(file_path) as f: 14 | package_json_content = json.loads(f.read()) 15 | 16 | if 'dependencies' in package_json_content: 17 | return extract_list_of_dependencies(package_json_content['dependencies']) 18 | 19 | return [] 20 | 21 | 22 | def extract_list_of_dependencies(dependencies_dictionary): 23 | package_dependencies=[] 24 | 25 | for dependency,version in dependencies_dictionary.items(): 26 | version = version.strip() 27 | if version.startswith('npm:'): 28 | # 5 to skip the first @ of a scoped package 29 | at_index = version.find('@', 5) 30 | 31 | if at_index==-1: 32 | # case of "npm:string-width" will leave us with "string-width" 33 | version=version[4:] 34 | else: 35 | # case of "npm:string-width@^4.2.0" will leave us with "string-width" 36 | version=version[4:at_index] 37 | 38 | package_dependencies.append(version) 39 | else: 40 | package_dependencies.append(dependency) 41 | 42 | return package_dependencies 43 | 44 | def scan_packages(unique_package_list, config): 45 | with concurrent.futures.ThreadPoolExecutor(max_workers=3) as executor: 46 | for package in unique_package_list: 47 | executor.submit(scan_package_for_direct_deprecated, package, config) 48 | 49 | with concurrent.futures.ThreadPoolExecutor(max_workers=3) as executor: 50 | for package in unique_package_list: 51 | executor.submit(scan_package_for_dependency_deprecated, package, config) 52 | 53 | 54 | def extract_github_repo_from_package_info(package_info): 55 | # no repository information 56 | if 'repository' not in package_info or package_info['repository'] is None: 57 | return "" 58 | 59 | # now we need to check format of how the repository information is shown 60 | if type(package_info['repository']) is str: 61 | github_repo = package_info['repository'].lower() 62 | elif type(package_info['repository']) is dict: 63 | if 'url' not in package_info['repository'] or package_info['repository']['url'] is None: 64 | return "" 65 | github_repo = package_info['repository']['url'].lower() 66 | else: 67 | # unknown format should not reach here 68 | return "" 69 | 70 | # This is incase the repository is not in github 71 | if 'github.com' not in github_repo: 72 | return "" 73 | 74 | # now we convert all the types of github repos to that same format 75 | if github_repo.startswith('git+'): 76 | github_repo=github_repo[4:] 77 | if github_repo.startswith('ssh://'): 78 | github_repo=github_repo[len('ssh://'):] 79 | if github_repo.startswith('git://'): 80 | github_repo=github_repo.replace('git://', 'https://') 81 | if github_repo.startswith('git@github.com:'): 82 | github_repo=github_repo.replace('git@github.com:', 'https://github.com/') 83 | if github_repo.startswith('git@github.com'): # this is in case there is no : in it 84 | github_repo=github_repo.replace('git@github.com', 'https://github.com') 85 | 86 | # remove everything under '#' 87 | github_repo = github_repo.split('#', 1)[0] 88 | 89 | # clean all trailing '/'' 90 | while github_repo.endswith('/'): 91 | github_repo=github_repo[:-1] 92 | 93 | if github_repo.endswith('.git'): 94 | github_repo=github_repo[:-len('.git')] 95 | 96 | return github_repo 97 | 98 | # this function assumes there is no leading '/' at the end 99 | def get_repo_from_github_url(github_repo_link): 100 | repo_parts_list = github_repo_link.split("/") 101 | if len(repo_parts_list) >= 5: 102 | return (repo_parts_list[3],repo_parts_list[4]) 103 | 104 | # this means we dont have a good format of the github_link so we cant scan it 105 | return (None, None) 106 | 107 | def check_github_deprecated_criteria(org ,repo, config): 108 | url = f"https://api.github.com/repos/{org}/{repo}" 109 | resp = gh.get(url, config.github_token) 110 | 111 | if resp.status_code != 200: 112 | # if the github is inaccessible and the user did not disable this check. 113 | if resp.status_code == 404 and not config.exclude_inaccessible: 114 | return True 115 | 116 | return False 117 | 118 | # check if the user disabled the archived check 119 | if config.exclude_archived: 120 | return False 121 | 122 | results = resp.json() 123 | return results['archived'] 124 | 125 | def is_function_directly_deprecated(package_name, npm_response_json, config): 126 | # check if this package is deprecated 127 | if 'deprecated' in npm_response_json: 128 | return True 129 | 130 | # check if the user disabled the no_repo check 131 | if not config.exclude_repo: 132 | if 'repository' not in npm_response_json: 133 | return True 134 | 135 | # check if the user disabled the github checks 136 | if not config.exclude_archived or not config.exclude_inaccessible: 137 | github_repo_url = extract_github_repo_from_package_info(npm_response_json) 138 | 139 | # if we couldnt extract the GitHub repository for various reasons (repo wasn't GitHub for example) 140 | if github_repo_url == "": 141 | return False 142 | 143 | org, repo = get_repo_from_github_url(github_repo_url) 144 | 145 | # if we couldnt extract the org/repo info from the github_link 146 | if org == None: 147 | return False 148 | 149 | if check_github_deprecated_criteria(org, repo, config): 150 | return True 151 | 152 | return False 153 | 154 | def scan_package_for_direct_deprecated(package_name, config): 155 | try: 156 | url=f'https://registry.npmjs.com/{package_name}/latest' 157 | 158 | resp = requests.get(url) 159 | if resp.status_code != 200: 160 | print(f'error in {package_name}') 161 | dict_of_deprecated[package_name]="" # default value is not deprecated 162 | return "" 163 | 164 | resp_json = resp.json() 165 | 166 | # here we check if the package is directly deprecated. also depends on the flags from the user (check github, etc') 167 | if is_function_directly_deprecated(package_name, resp_json, config): 168 | dict_of_deprecated[package_name] = package_name 169 | return package_name 170 | 171 | dict_of_deprecated[package_name] = "" 172 | return "" 173 | 174 | except Exception as e: 175 | print(e) 176 | traceback.print_exc() 177 | 178 | # if there is an exception in the scan we will mark it as not deprecated for the moment 179 | if package_name not in dict_of_deprecated: 180 | dict_of_deprecated[package_name] = "" 181 | 182 | return "" 183 | 184 | def scan_package_for_dependency_deprecated(package_name, config): 185 | try: 186 | # here we check if we already scanned this package and it is directly deprecated 187 | if package_name in dict_of_deprecated and dict_of_deprecated[package_name] != "": 188 | return "" 189 | 190 | url=f'https://registry.npmjs.com/{package_name}/latest' 191 | 192 | resp = requests.get(url) 193 | if resp.status_code != 200: 194 | print(f'error in {package_name}') 195 | dict_of_deprecated[package_name]="" # default value is not deprecated 196 | return "" 197 | 198 | resp_json = resp.json() 199 | 200 | if 'dependencies' not in resp_json: 201 | # There are no dependencies so it is not indirectly deprecated 202 | dict_of_deprecated[package_name] = "" 203 | return "" 204 | 205 | set_of_depndencies = set(extract_list_of_dependencies(resp_json['dependencies'])) 206 | 207 | # now we check if one of the dependencies was already found directly deprecated. this is so we wont go by a different order and check other dependencies when we already have one that is deprecated 208 | for dependency_package in set_of_depndencies: 209 | if dependency_package in dict_of_deprecated and dict_of_deprecated[dependency_package] == dependency_package: 210 | dict_of_deprecated[package_name] = dependency_package 211 | 212 | return dependency_package 213 | 214 | # Here we check dependencies that we did not scan yet 215 | for dependency_package in set_of_depndencies: 216 | if dependency_package not in dict_of_deprecated: 217 | if scan_package_for_direct_deprecated(dependency_package, config)==dependency_package: 218 | dict_of_deprecated[package_name] = dependency_package 219 | return dependency_package 220 | 221 | except Exception as e: 222 | print(e) 223 | traceback.print_exc() 224 | 225 | return "" 226 | 227 | 228 | def main(): 229 | parser = argparse.ArgumentParser(description="scan package.json for dependencies that are deprecated directly and indirectly") 230 | 231 | parser.add_argument("package_json_file", nargs="?", default='package.json', help="path to pacakge.json file, default is 'package.json'") 232 | 233 | parser.add_argument("--github-token","-gh", help="GitHub token to use for the api, no permissions needed. This is mandatory unless you state the --exclude-archived flag") 234 | 235 | # Do not include github archived repositories in the scan 236 | parser.add_argument("--exclude-archived", action='store_true', help="Do not alert on packages whose GitHub repositories are archived. Defaults to False") 237 | 238 | # Do not alert on packages that do not point to a repository 239 | parser.add_argument("--exclude-repo", action='store_true', help="Do not alert on packages that are not associated with a repository. Defaults to False.") 240 | 241 | # Do not alert on packages that their GitHub is not accessible 242 | parser.add_argument("--exclude-inaccessible", action='store_true', help="Do not alert on packages that their GitHub repositoriy is inaccessbile. Defaults to False.") 243 | 244 | 245 | # Parse the command-line arguments 246 | args = parser.parse_args() 247 | 248 | if not args.github_token and (not args.exclude_archived or not args.exclude_inaccessible): 249 | parser.error('''You must provide a readonly GitHub token. 250 | If you do not want to scan for archived repositories you can use the --exclude-archived flag 251 | If you do not want to scan for inaccessible GitHub repositories you can use the --exclude-inaccessible flag''') 252 | 253 | set_of_dependency_packages = set(parse_package_json_file(args)) 254 | 255 | scan_packages(set_of_dependency_packages, args) 256 | 257 | print('Deprecated dependencies:') 258 | for package in set_of_dependency_packages: 259 | if dict_of_deprecated[package]!="": 260 | # now we print the chain of deprecation 261 | chain_of_dep_str=package 262 | current_package=package 263 | 264 | # we stop only when we get to the package which is directly deprecated 265 | while dict_of_deprecated[current_package]!=current_package: 266 | chain_of_dep_str += " -> " + dict_of_deprecated[current_package] 267 | current_package = dict_of_deprecated[current_package] 268 | print(f'package {package} is deprecated, chain of dependency is [{chain_of_dep_str}]\n') 269 | 270 | print('Done') 271 | 272 | 273 | if __name__ == '__main__': 274 | main() 275 | --------------------------------------------------------------------------------