View on GitHub

Retire.js

What you require you must also retire

Download this project as a .zip file Download this project as a tar.gz file

There is a plethora of JavaScript libraries for use on the web and in node.js apps out there. This greatly simplifies, but we need to stay update on security fixes. "Using Components with Known Vulnerabilities" is now a part of the OWASP Top 10 and insecure can libraries can pose a huge risk for your webapp. The goal of Retire.js is to help you detect use of version with known vulnerabilities.

Retire.js has these parts:

  1. A command line scanner
  2. A grunt plugin
  3. A Chrome extension
  4. A Firefox extension
  5. Burp and OWASP Zap plugin

Command line scanner

Scan a web app or node app for use of vulnerable JavaScript libraries and/or node modules.

Grunt plugin

grunt-retire scans your grunt enabled app for use of vulnerable JavaScript libraries and/or node modules.

Chrome and Firefox extensions

Scans visited sites for references to insecure libraries, and puts warnings in the developer console. A icon on the address bar displays will also indicated if vulnerable libraries were loaded.

Burp and OWASP ZAP plugins

Retire.js has been adapted as a plugin for the penetration testing tools Burp and OWASP ZAP.

Vulnerabilities

These are the vulnerabilities currently detected by Retire.js

JavaScript libraries

LibraryFrom versionUp to versionLinks

Node packages

LibraryFrom versionUp to versionLinks