Easy auditing & sandboxing for your JavaScript dependencies 🪱

Related tags

Learning resource security sandbox ses compartments harden
Overview
Sandworm

 

Easy auditing & sandboxing for your JavaScript dependencies 🪱

NPM License CircleCI Maintainability Test Coverage

TL;DR

  • Sandworm intercepts all sensitive Node & browser APIs, like child_process.exec or fetch.
  • It also knows what modules are responsible for each call.
  • You can use it to:
    • audit your dependencies and see what your code is doing under the hood;
    • secure your app against supply chain attacks by enforcing per-module permissions.
  • Install it as an npm module in your existing Node or browser app.
  • Use the Inspector CLI tool to monitor activity and permissions.
  • Works in Node v15+ and modern browsers.
  • Beta support for browsers and sourcemaps.

Getting Started

Add the Sandworm init call as the very first line of your app:

require('sandworm').init({devMode: true}); // add `permissions: [...]` when moving to prod

Then launch the inspector tool with npm run sandworm or yarn sandworm to monitor activity and permissions.

Documentation

Read the full docs here.

Get Involved

Comments
  • chore(deps): bump loader-utils from 2.0.2 to 2.0.3 in /cli/frontend

    chore(deps): bump loader-utils from 2.0.2 to 2.0.3 in /cli/frontend

    Bumps loader-utils from 2.0.2 to 2.0.3.

    Release notes

    Sourced from loader-utils's releases.

    v2.0.3

    2.0.3 (2022-10-20)

    Bug Fixes

    • security: prototype pollution exploit (#217) (a93cf6f)
    Changelog

    Sourced from loader-utils's changelog.

    2.0.3 (2022-10-20)

    Bug Fixes

    • security: prototype pollution exploit (#217) (a93cf6f)
    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
    • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
    • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
    • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

    You can disable automated security fix PRs for this repo from the Security Alerts page.

    dependencies 
    opened by dependabot[bot] 1
  • chore(deps): bump loader-utils from 2.0.2 to 2.0.3

    chore(deps): bump loader-utils from 2.0.2 to 2.0.3

    Bumps loader-utils from 2.0.2 to 2.0.3.

    Release notes

    Sourced from loader-utils's releases.

    v2.0.3

    2.0.3 (2022-10-20)

    Bug Fixes

    • security: prototype pollution exploit (#217) (a93cf6f)
    Changelog

    Sourced from loader-utils's changelog.

    2.0.3 (2022-10-20)

    Bug Fixes

    • security: prototype pollution exploit (#217) (a93cf6f)
    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
    • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
    • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
    • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

    You can disable automated security fix PRs for this repo from the Security Alerts page.

    dependencies 
    opened by dependabot[bot] 1
  • chore(main): release sandworm 1.3.2

    chore(main): release sandworm 1.3.2

    :robot: I have created a release beep boop

    1.3.2 (2022-09-29)

    Bug Fixes

    • include inspector logo png in npm pack (e17f479)

    This PR was generated with Release Please. See documentation.

    autorelease: tagged 
    opened by gabidobo 1
  • chore(main): release sandworm 1.3.1

    chore(main): release sandworm 1.3.1

    :robot: I have created a release beep boop

    1.3.1 (2022-09-29)

    Bug Fixes

    • allow init from sandworm-utils (5df5065)

    This PR was generated with Release Please. See documentation.

    autorelease: tagged 
    opened by gabidobo 1
  • chore(main): release sandworm 1.3.0

    chore(main): release sandworm 1.3.0

    :robot: I have created a release beep boop

    1.3.0 (2022-09-28)

    Features

    • allow calling init from test plugins (e4b196b)

    This PR was generated with Release Please. See documentation.

    autorelease: tagged 
    opened by gabidobo 1
  • chore(main): release sandworm 1.2.1

    chore(main): release sandworm 1.2.1

    :robot: I have created a release beep boop

    1.2.1 (2022-09-27)

    Bug Fixes

    • support nested node_modules (4a4c0e7)

    This PR was generated with Release Please. See documentation.

    autorelease: tagged 
    opened by gabidobo 1
  • chore(main): release sandworm 1.2.0

    chore(main): release sandworm 1.2.0

    :robot: I have created a release beep boop

    1.2.0 (2022-09-23)

    Features

    • allow init call from sandworm-mocha module (a63bcd1)
    • retry sending events to inspector (584eb69)

    This PR was generated with Release Please. See documentation.

    autorelease: tagged 
    opened by gabidobo 1
  • chore(main): release sandworm 1.1.1

    chore(main): release sandworm 1.1.1

    :robot: I have created a release beep boop

    1.1.1 (2022-09-21)

    Bug Fixes

    • tracking errors now log at debug level (98562a3)

    This PR was generated with Release Please. See documentation.

    autorelease: tagged 
    opened by gabidobo 1
  • chore(main): release sandworm 1.1.0

    chore(main): release sandworm 1.1.0

    :robot: I have created a release beep boop

    1.1.0 (2022-09-21)

    Features

    • add telemetry notice to inspector log output (ef24258)
    • alias root-level code by path (fbf4405)

    This PR was generated with Release Please. See documentation.

    autorelease: tagged 
    opened by gabidobo 1
  • chore(main): release sandworm 1.0.1

    chore(main): release sandworm 1.0.1

    :robot: I have created a release beep boop

    1.0.1 (2022-09-17)

    Bug Fixes

    • include inspector tool browser app sourcemaps (88a09ec)
    • module names now account for callbacks (fc02b67)

    This PR was generated with Release Please. See documentation.

    autorelease: tagged 
    opened by gabidobo 1
  • chore(main): release sandworm 1.0.0

    chore(main): release sandworm 1.0.0

    :robot: I have created a release beep boop

    1.0.0 (2022-09-15)

    ⚠ BREAKING CHANGES

    • issue affecting detected caller paths
    • anonymous event data collection

    Features

    • access denied callback (45ea81a)
    • anonymous event data collection (4ad3988)

    Bug Fixes

    • cache access performance issue (16ffc24)
    • issue affecting detected caller paths (d8e6199)
    • url detect performance issue (ae6b829)

    This PR was generated with Release Please. See documentation.

    autorelease: tagged 
    opened by gabidobo 1
  • chore(deps): bump loader-utils from 2.0.2 to 2.0.4

    chore(deps): bump loader-utils from 2.0.2 to 2.0.4

    Bumps loader-utils from 2.0.2 to 2.0.4.

    Release notes

    Sourced from loader-utils's releases.

    v2.0.4

    2.0.4 (2022-11-11)

    Bug Fixes

    v2.0.3

    2.0.3 (2022-10-20)

    Bug Fixes

    • security: prototype pollution exploit (#217) (a93cf6f)
    Changelog

    Sourced from loader-utils's changelog.

    2.0.4 (2022-11-11)

    Bug Fixes

    2.0.3 (2022-10-20)

    Bug Fixes

    • security: prototype pollution exploit (#217) (a93cf6f)
    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
    • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
    • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
    • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

    You can disable automated security fix PRs for this repo from the Security Alerts page.

    dependencies 
    opened by dependabot[bot] 0
  • chore(deps): bump loader-utils from 2.0.2 to 2.0.4 in /cli/frontend

    chore(deps): bump loader-utils from 2.0.2 to 2.0.4 in /cli/frontend

    Bumps loader-utils from 2.0.2 to 2.0.4.

    Release notes

    Sourced from loader-utils's releases.

    v2.0.4

    2.0.4 (2022-11-11)

    Bug Fixes

    v2.0.3

    2.0.3 (2022-10-20)

    Bug Fixes

    • security: prototype pollution exploit (#217) (a93cf6f)
    Changelog

    Sourced from loader-utils's changelog.

    2.0.4 (2022-11-11)

    Bug Fixes

    2.0.3 (2022-10-20)

    Bug Fixes

    • security: prototype pollution exploit (#217) (a93cf6f)
    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
    • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
    • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
    • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

    You can disable automated security fix PRs for this repo from the Security Alerts page.

    dependencies 
    opened by dependabot[bot] 0
  • Replace `source-map-js` dependency

    Replace `source-map-js` dependency

    Our current sourcemap parsing engine, source-map-js, is a fork of the original Mozilla module, but with several optimizations and without WASM.

    This is not ideal because:

    • Source map processing makes up for more than 2/3 of our bundle size
    • source-map-js also bundles a generator that we don't need
    • it uses new Function() internally, which is potentially dangerous

    Ideally, we should be able to internally parse sourcemaps, and remove this single dependency that Sandworm currently has.

    image experiment 
    opened by gabidobo 0
Releases(sandworm-v1.3.2)
Owner
Sandworm
Sandworm
GitHub https://sandworm.dev
Hemsida för personer i Sverige som kan och vill erbjuda boende till människor på flykt

Getting Started with Create React App This project was bootstrapped with Create React App. Available Scripts In the project directory, you can run: np

null 4 May 3, 2022
Kurs-repo för kursen Webbserver och Databaser

Webbserver och databaser This repository is meant for CME students to access exercises and codealongs that happen throughout the course. I hope you wi

null 14 Jan 3, 2023
Easy-to-use tool to inform you about potential risks in your project dependencies list

sdc-check Easy-to-use tool to inform you about potential risks in your project dependencies list Usage Add to your project Add new npm command to scri

Maksim Balabash 132 Dec 4, 2022
Find and fix dangling files and unused dependencies in your JavaScript projects.

unimported Find unused source files in javascript / typescript projects. While adding new code to our projects, we might forget to remove the old code

Stephan Meijer 1.6k Jan 4, 2023
👌A useful zero-dependencies, less than 434 Bytes (gzipped), pure JavaScript & CSS solution for drop an annoying pop-ups confirming the submission of form in your web apps.

Throw out pop-ups confirming the submission of form! A useful zero-dependencies, less than 434 Bytes (gzipped), pure JavaScript & CSS solution for dro

Vic Shóstak 35 Aug 24, 2022
LunaSec - Open Source Security Software built by Security Engineers. Scan your dependencies for Log4Shell, or add Data Tokenization to prevent data leaks. Try our live Tokenizer demo: https://app.lunasec.dev

Our Software We're a team of Security Engineers on a mission to make awesome Open Source Application Security tooling. It all lives in this repo. Here

LunaSec 1.2k Jan 7, 2023
Analyze dependencies in your Deno project

Analyze dependencies in your Deno project

DjDeveloper 3 Feb 20, 2022
Repo for tricking NPM into not hoisting your package. No dependencies and a warning if imported.

noist (Short for No Hoist) Repo for tricking NPM into not hoisting your package. No dependencies and a warning if imported. Why? As of npm@7 NPM suppo

Zackery Griesinger 20 Oct 27, 2022
Show npm package authors and maintainers of your dependencies and devDependencies.

your-deps-authors Show npm package authors and maintainers of your dependencies and devDependencies. Usage $ npx your-deps-authors ╔══════════════════

Sosuke Suzuki 6 Sep 29, 2022
✂️ Find unused files, dependencies and exports in your TypeScript project

✂️ Knip Knip scans your JavaScript and TypeScript projects for unused files, dependencies and exports: things that can be removed! Less code means bet

Lars Kappert 673 Jan 1, 2023
Beautiful Visualizations For Your App's Dependencies 🧭

Beautiful Visualizations For Your App's Dependencies ?? Outputs SVGs Powered by D3 Overlays security vulnerabilities Works with npm & yarn Made by the

Sandworm 8 Dec 15, 2022
➷ A robust Javascript library for capturing keyboard input. It has no dependencies.

Hotkeys HotKeys.js is an input capture library with some very special features, it is easy to pick up and use, has a reasonable footprint (~3kb) (gzip

小弟调调™ 5.7k Jan 4, 2023
A super tiny Javascript library to make DOM elements draggable and movable. ~500 bytes and no dependencies.

dragmove.js A super tiny Javascript library to make DOM elements draggable and movable. Has touch screen support. Zero dependencies and 500 bytes Gzip

Kailash Nadh 814 Dec 29, 2022
Snowfall effect written in pure JavaScript. No additional libraries, no dependencies. Works in every modern browser.

pureSnow.js Snow falling slowly on a winter night. Probably the most calming and peaceful snowfall effect written in pure JS/CSS. (No SCSS). Inspired

null 20 Dec 29, 2022
A JavaScript component that is a date & time range picker, no need to build, no dependencies except Moment.js, that is based on Dan Grossman's bootstrap-daterangepicker.

vanilla-datetimerange-picker Overview. A JavaScript component that is a date & time range picker, no need to build, no dependencies except Moment.js,

null 22 Dec 6, 2022
Full featured JavaScript image & video gallery. No dependencies

lightgallery.js Full featured JavaScript lightbox gallery. No dependencies. Important notice lightgallery.js has been merged with lightGallery. That m

Sachin Neravath 5.2k Dec 30, 2022
A beautiful, responsive, highly customizable and accessible replacement for JavaScript's popup boxes. Zero dependencies.Alerts ,dialogs

AsgarAlert (v1) for JS Install <script defer src="/asgar-alert.js"></script> Examples The most basic message: asgar("Hello world!"); A message signali

Asgar Aliyev 5 Dec 20, 2022
JavaScript client-side HTML table sorting library with no dependencies required.

TABLE-SORT-JS. Description: A JavaScript client-side HTML table sorting library with no dependencies required. Demo Documentation. (work in progress)

Lee Wannacott 32 Dec 14, 2022
Slide everything into this vanilla javascript slider: just 20kb all-inclusive, no dependencies!

Lightweight vanilla javascript media and contents slider, by LCweb Just 20KB to have: Top features list: single file, no dependencies, 100% pure javas

Luca 4 May 12, 2021