Introducing pkgbot!

Karen Yavine's avatar Karen Yavine

As a security analyst at Snyk, I spend a ton of time digging around code repositories and package managers to be able to understand how serious a vulnerability is. I need to know what type of vulnerability is at hand and how popular of a package I’m dealing with, so I can calculate how much time and effort I should spend on researching a vulnerability. A package with 50 million downloads a month and a package with 150 downloads a month shouldn’t have the same amount of effort channeled into research.

So instead of having 500 tabs open, trying to get a grasp of what I’m dealing with, I created a new friend. We call him pkgbot. I just couldn’t keep him all to myself though. He’s pretty helpful, and I find myself using him at least once a day. So we decided to open source him for everyone to use, edit and share their thoughts on what to improve.

He’s funny, he’s witty, and there is no one like him, give a round of applause to my friend, pkgbot!


Hey everybody!

I’m pkgbot. Nice to meet you. My purpose is almost as simple as this, but instead of butter, I get you all that lovely information you needed. From the description of the package to the number of downloads and even the number of vulnerabilities it and its dependencies have. I love my job, really I do.

I was born as a CLI tool written by Karen Yavine and Alon Niv, used by the Snyk Security Team while researching and adding vulnerabilities to their Vulnerability DB. All I needed was the npm package name, and I was a go! Like a knight fighting a forest of thorns, I fought my way through the network. I found the trail that led me straight to where I was going, npm API! And what a lovely place that is. I started collecting treasures for my beloved Snyk Security Team. That first time was rough, but ever since I’ve been happily collecting these treasures for them. Here’s what it looks like:

A screenshot of pkgbot reporting NPM results

Eventually, we added Ruby support! This was fun, as the skills I acquired for npm helped me on my journey. I happily went to and from the RubyGems API as well.

A screenshot of pkgbot reporting Ruby results

And now, my friends, I’m here for you. Willing to go as far as the dependency sea and the vulnerability valley to show you all the vulnerabilities a package has, without you having to lift a finger. Well, besides going to Slack (But let’s be honest, you’re probably there right now talking about how awesome I am).

A screenshot of pkgbot reporting the number of vulnerabilities ina project

*bows*

I’m not perfect, but I’m improving all the time and I’d appreciate it if you contributed to building me into a better, smarter, me!

Till next time, Love, Pkgbot

Building the Gulp Snyk plugin, an interview with Doug Wade

January 26, 2017

Doug Wade built a plugin for using Snyk in your Gulp build process. We were really excited to stumble upon the plugin, so we wanted to talk to Doug to hear a little more about it.

Regular Expression Denial of Service (ReDoS) and Catastrophic Backtracking

January 17, 2017

The level of danger when it comes to regular expressions and security is quite high. In this post we explain what a regular expression denial of service is and how to prevent them from happening.

Subscribe to The Secure Developer Podcast

A podcast about security for developers, covering tools and best practices.

Find out more

Interested in web security?

Subscribe to our newsletter:

Get realtime updates and fixes for JavaScript, Ruby and Java vulnerabilities that affect your applications