I’d like to share an open source project I’ve been working on during the last year. It analyzes production JavaScript code and detects bundled NPM package versions. A vulnerability is shown when a specific detected version contains known vulnerabilities, taken from the Github advisory.
There’s also a dedicated package page, that shows accumulated statistics of a package. It’s like wappalyzer or builtwith but with better accuracy. For example: https://gradejs.com/package/react
So far I’ve only indexed ~10,000 popular websites. The current version works for Webpack bundles with 70-90% accuracy and ~3% false positive. The package detection algorithm is designed to match minified and tree-shaken AST subtrees for each export per bundled JS module.
I'd like to collect any feedback from the community.
1 comment
[ 131 ms ] story [ 520 ms ] threadThere’s also a dedicated package page, that shows accumulated statistics of a package. It’s like wappalyzer or builtwith but with better accuracy. For example: https://gradejs.com/package/react
So far I’ve only indexed ~10,000 popular websites. The current version works for Webpack bundles with 70-90% accuracy and ~3% false positive. The package detection algorithm is designed to match minified and tree-shaken AST subtrees for each export per bundled JS module.
I'd like to collect any feedback from the community.
Repository: https://github.com/gradejs/gradejs