Skip to content

Instantly share code, notes, and snippets.

@ross

ross/npm_compromised.py

Created September 8, 2025 19:59
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save ross/e8037888c8db7dc86222726e608c7622 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save ross/e8037888c8db7dc86222726e608c7622 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
npm_compromised.py
#!/usr/bin/env python3
from json import loads
from pprint import pprint
from semver import Version
compromised = {n: Version.parse(v) for n, v in {
'ansi-styles': '6.2.2',
'debug': '4.4.2',
'chalk': '5.6.1',
'supports-color': '10.2.1',
'strip-ansi': '7.1.1',
'ansi-regex': '6.2.1',
'wrap-ansi': '9.0.1',
'color-convert': '3.1.1',
'color-name': '2.0.1',
'is-arrayish': '0.3.3',
'slice-ansi': '7.1.1',
'color': '5.0.1',
'color-string': '2.1.1',
'simple-swizzle': '0.2.3',
'supports-hyperlinks': '4.1.1',
'has-ansi': '6.0.1',
'chalk-template': '1.1.1',
'backslash': '0.2.1',
}.items()}
with open('package-lock.json', 'r') as fh:
packages = loads(fh.read())['packages']
for name, package in packages.items():
if name == '':
continue
name = name.replace('node_modules/', '')
version = Version.parse(package['version'])
compromised_version = compromised.get(name)
if compromised_version is None:
continue
if version >= compromised_version:
print(f'{name}, compromised_version={compromised_version}, version={version}')
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment