1 unstable release
0.1.0 | Sep 5, 2023 |
---|
590KB
932 lines
goblin_prospector
A little tool to read lockfiles in a project and get information from each dependency's repo and get newer changes that aren't used by the project (hopefully containing a vulnerability or behaviour that was recently changed/fixed upstream but can still be exploited on said project).
Currently supports:
Lockfiles
- yarn (yarn.lock)
- npm (package-lock.json)
- ruby (Gemfile.lock)
Releases from repositories
- GitHub
- GitLab
Installation
You can install from crates.io using cargo:
cargo install goblin_prospector
Or download a prebuilt binary from the releases.
You can also just clone the repo and build the tool with cargo:
git clone https://gitlab.com/bea_stung/goblin_prospector.git
cd goblin_prospector
cargo install --path=.
Usage
Basic usage
goblin_prospector -d ~/repos/gitlab --github-token GITHUB_TOKEN_HERE -c 40
Example Output:
[[ GitHub KaTeX/KaTeX ]]:
katex (Yarn) [0.13.2]:
GitHub (KaTeX/KaTeX): git+https://github.com/KaTeX/KaTeX.git
More recent releases:
[v0.16.8]:
0.16.8 (2023-06-24)
Features
expose error length and raw error message on ParseError (#3820) (710774a)
[v0.16.7]:
0.16.7 (2023-04-28)
Bug Fixes
docs/support_table.md: delete redundant "varPsi" (#3814) (33a1b98)
.....
Help message
goblin_prospector --help
Example Output:
Goblin goes and gets information about new dependancy features introduced after the versions used by a project.
Point me at a project directory and watch me go boss, yeehaw!
Supports:
Lockfiles:
- yarn (yarn.lock)
- npm (package-lock.json)
- ruby (Gemfile.lock)
Releases from repositories:
- GitHub
- GitLab
Usage: goblin_prospector [OPTIONS] --dir <DIR>
Options:
-d, --dir <DIR> Directory of project to check
--github-token <GITHUB_TOKEN> GitHub token for API
--gitlab-token <GITLAB_TOKEN> GitLab token for API
-c, --concurrent-requests <CONCURRENT_REQUESTS> Number of concurrent requests
-o, --output <OUTPUT> Output file name
-h, --help Print help
-V, --version Print version
Dependencies
~15–32MB
~531K SLoC