The Wayback Machine - https://web.archive.org/web/20190322165435/https://github.com/RetireJS/retire.js
Skip to content
Please note that GitHub no longer supports Internet Explorer.

We recommend upgrading to the latest Microsoft Edge, Google Chrome, or Firefox.

Learn more
Sign in Sign up

/retire.js

scanner detecting the use of JavaScript libraries with known vulnerabilities http://retirejs.github.io/retire.js/
vulnerabilities scanner firefox-extension grunt-plugins javascript vulnerable-libraries insecure-libraries chrome-extension build-tool security software-composition-analysis
  1. JavaScript 97.5%
  2. Shell 1.7%
  3. Other 0.8%
Branch: master
Find File
Clone or download

Clone with HTTPS

Use Git or checkout with SVN using the web URL.

Open in Desktop Download ZIP

Launching GitHub Desktop...

If nothing happens, download GitHub Desktop and try again.

Launching GitHub Desktop...

If nothing happens, download GitHub Desktop and try again.

Launching Xcode...

If nothing happens, download Xcode and try again.

Launching Visual Studio...

If nothing happens, download the GitHub extension for Visual Studio and try again.

@jwindelborg @eoftedal
jwindelborg and eoftedal Add more descriptive link for angularjs vulnerability (#289) 
The DOS in $Sanitize vulnerability for angularjs
versions below 1.6.3 gives a link making it incredible
hard to find information on the exact vulnerability.
The added link fixes that.
Latest commit 1ef9a51 Mar 21, 2019
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
chrome [ImgBot] Optimize images (#273) Nov 30, 2018
docs Moving SCM location Feb 2, 2015
firefox [ImgBot] Optimize images (#273) Nov 30, 2018
node Fixes #269 Feb 19, 2019
repository Add more descriptive link for angularjs vulnerability (#289) Mar 21, 2019
.gitattributes fix: configure linguist to treat *.1 and *.2 files as JavaScript (#249) Aug 8, 2018
.gitignore
LICENSE.md
README.md
bom
build_chrome.bat
build_chrome.sh
example.retireignore.json
fx.sh
issue_template.md Create issue_template.md Jun 6, 2018
simpleserver.py Simple server for local testing Sep 2, 2013

README.md

Retire.js

Retire Status

What you require you must also retire

There is a plethora of JavaScript libraries for use on the Web and in Node.JS apps out there. This greatly simplifies development,but we need to stay up-to-date on security fixes. "Using Components with Known Vulnerabilities" is now a part of the OWASP Top 10 list of security risks and insecure libraries can pose a huge risk to your Web app. The goal of Retire.js is to help you detect the use of JS-library versions with known vulnerabilities.

Retire.js can be used in many ways:

  1. As command line scanner
  2. As a grunt plugin
  3. As a gulp task
  4. As a Chrome extension
  5. As a Firefox extension
  6. As a Burp and OWASP Zap plugin

Command line scanner

Scan a web app or node app for use of vulnerable JavaScript libraries and/or Node.JS modules. In the source code folder of the application folder run:

$ npm install -g retire
$ retire

Grunt plugin

A Grunt task for running Retire.js as part of your application's build routine, or some other automated workflow.

Gulp task

An example of a Gulp task which can be used in your gulpfile to watch and scan your project files automatically. You can modify the watch patterns and (optional) Retire.js options as you like.

const c = require('ansi-colors');

var gulp = require('gulp');
var beeper = require('beeper');
var log = require('fancy-log');
var spawn = require('child_process').spawn;

gulp.task('retire:watch', ['retire'], function (done) {
    // Watch all javascript files and package.json
    gulp.watch(['js/**/*.js', 'package.json'], ['retire']);
});

gulp.task('retire', function() {
    // Spawn Retire.js as a child process
    // You can optionally add option parameters to the second argument (array)
    var child = spawn('retire', [], {cwd: process.cwd()});
    
    child.stdout.setEncoding('utf8');
    child.stdout.on('data', function (data) {
        log(data);
    });

    child.stderr.setEncoding('utf8');
    child.stderr.on('data', function (data) {
        log(c.red(data));
        beeper();
    });
});

Chrome and firefox extensions

Scans visited sites for references to insecure libraries, and puts warnings in the developer console. An icon on the address bar displays will also indicate if vulnerable libraries were loaded.

Burp and OWASP ZAP plugin

@h3xstream has adapted Retire.js as a plugin for the penetration testing tools Burp and OWASP ZAP. An alternative OWASP ZAP plugin exists at https://github.com/nikmmy/retire/

Donate

Flattr this

Donations will be used to fund the maintainance of the tool and vulnerability repo.

You can’t perform that action at this time.
Morty Proxy This is a proxified and sanitized view of the page, visit original site.