Security Alerts for NodeJS

Since a couple weeks VersionEye shows security issues for PHP projects. Now this feature works the same way for NodeJS / NPM packages. If VersionEye is monitoring a package.json for you, then you will see the “Security” tab in the project view. Just like here in this example.

VersionEye-NodeJS-Security-View

In the “Security” tab all known security vulnerabilities are listed for your 3rd party dependencies. By clicking on the package name the package detail page comes up with a more detailed description of the security vulnerability.

VersionEye-NodeJS-Security

In most of the cases it is recommended to fix the issue by updating to the current version of the software package.

This feature is pretty new, but already good tested through the PHP community. Your feedback is anyway welcome either here in the comments or on Twitter.

NPM Module for VersionEye

Now there is a NPM Module for the VersionEye API. The versioneye-update NPM Module was developed by Onwerk, a Software Service Provider from Mannheim (South Germany). They develop web & mobile applications with Node.JS. Like this interactive Jackpot game, built with iPad, XBox KinectRaspberry Pi and NodeJS.

The Onwerk engineers like to stay ahead of cutting edge technology. They want to keep their dependencies up-to-date to get bug & security fixes ASAP into their applications. And of course they want to take advantage of new features as soon as possible.

Onwerk+NPM=VersionEyeUpdate

VersionEye has a very good Integration for GitHub and Bitbucket. If your source code is on one of this cloud SCMs, VersionEye can monitor your package.json directly via the GitHub/Bitbucket API and you get notifications about out-dated dependencies automatically.

But the use case for Onwerk is different. They do BIG Software Projects for LARGE customers and because of NDAs und German privacy laws they are not allowed to give out the source code to anybody else. That’s why they are using the VersionEye API to get notified about out-dated dependencies.

And because they wanted to automate the whole process they developed the versioneye-update NPM module, which gets executed on each build on their private Jenkins CI Server. The process looks like this:

Onwerk-VersionEye-Integration

The NPM module versioneye-update is running on each build on the Jenkins. The module is sending the current package.json file to the VersionEye API to update an existing VersionEye project. That way VersionEye nows which dependencies are used in the project right now. VersionEye will compare the version numbers from the package.json file with the newest versions in the VersionEye database to find out-dated dependencies. If there is at least 1 out-dated dependency or at least 1 license violation VersionEye will send out an email notification to the project owner and the project collaborators.

That way the whole process is automated. The engineers don’t have to execute wired commands in the console and they are not in risk to forget something. Beside that the source code stays in house. VersionEye never has access to the source code. The only file which has to be shared with VersionEye is the package.json and that doesn’t get stored on the server! After parsing it once the file object becomes a victim of the garbage collection.

Try the versioneye-update module by yourself and give feedback. Beside this NPM module there are many other Plugins and AddOns build on top of the VersionEye API. Check them out on the API site.

Most referenced packages

We just updated our language pages. Up to now we only displayed the top 10 followed packages and the 10 currently updated packages. Now we display also the top 10 referenced packages from that language. Here is an example for the Ruby page.

Screen Shot 2014-01-06 at 18.49.42

The first columns shows the top 10 packages with the most references. Rspec is the most referenced package in Ruby! 19498 other GEMs are referencing it. It has more references then Ruby on Rails.

Feel free to checkout the other language pages as well:

https://www.versioneye.com/php
https://www.versioneye.com/Clojure
https://www.versioneye.com/Node.JS
https://www.versioneye.com/Objective-C

Let us know what you think!

Improved integration for NodeJS and NPM

We have an integration for Node.JS / NPM already since a couple months. But the first integration was honestly not the best. The NPM crawler crawled the packages from the HTML page of npmjs.org. Because of that the meta information we had was not always complete. We specially missed the version numbers of the dependencies.

The updated NPM crawler is now using the NPM registry. That’s why we have now much better meta information about the NPM packages. Now we can display the right versions of the NPM packages. Here are the dependencies of the request package.

versioneye_npmjs_01

Beside the table view we can even display an interactive dependency graph with all transitiv dependencies.

versioneye_npmjs_04

Beside the dependencies we display some NPM code snippets and the download link to the package.

versioneye_npmjs_02

And because we have now all the release dates, we can show you the average release time of each NPM package. And some additional meta informations like references and license informations.

versioneye_npmjs_03

There are 3847 other packages on NPM referencing the request package. That is a strong indicator for the quality of the request package.

VersionEye started its first Meetup group “Geek2Geek”

ImageGeek2Geek is a monthly Berlin Tech Talk. Our goal is to bring software developers with a diverse background together. We noticed that the coding community is often isolated, meaning that PHP devs. are only going to PHP UG’s and Java devs. solely to Java UG’s

However, we believe that we could achieve great things if we connect. If you’re a open source developer, start-up, techie, or geek using Java, Ruby, Python, Node.JS, PHP, JavaScript, R or Clojure, this group is for you!

Our first meetup is on July 23, 2013 and we’re pleased to announce that the speakers for our first Geek2Geek meetup are Christoph Beckmann from KaufDA and Tobias Balling from BLINKIST. This time we will focus on “IT infrastructure for DevOps”.

Christoph Beckmann
Christoph is team lead at KaufDA. He’s developing preferably with the Grails framework and is a DevOp expert. Over the past 2 1/2 years he has helped build the international KaufDA IT team. Previously, he gained experience at a consulting firm in Cologne and founded Germany’s first toilet search engine. Christoph will show how KaufDA manages its infrastructure with puppet in 5 countries.

Tobias Balling
Tobias is CTO at BLINKIST. He’s is currently thinking about the perfect presentation topic. So, more details are coming soon!

Thanks to VersionEye, snacks and beer are available for free, while supplies last. We’re looking forward to meeting you!

VersionEye’s new Dependency Badges

We are happy to announce that VersionEye now provides new dependency badges for Java, Ruby, PHP and Node.JS. They are available on every package page and look like this:

Image
Image
Image

With the help of the badges you can see immediately if the dependencies of a software library are up-to-date, out-of-date or unknown. Click on the badges and a pop-up window will appear with code snippets for mostly used markup languages. To add the badges to your GitHub Readme.md or other HTML pages, simply copy and paste.

Image
Good news: The badges are also available for your public VersionEye projects.

Image

You know a project is up-to-date when all of a project’s dependencies are up-to-date.

Can’t wait to see these badges on GitHub!  :-)