ꙮ Multiocular

A Node.js tool to review dependencies changes to:

• Prevent supply chain attack.
• Catch API breaking changes.
• Learn from your dependencies.

In general, it adds open dependencies practice to your project and stop treating node_modules as a black box.

It supports: npm, pnpm, yarn 1, yarn berry, GitHub Actions.

---

  Built by Evil Martians, go-to agency for developer tools.

---

Usage

First, reduce risk of exposing system to malware during the update.

Disable postinstall for npm:

npm config set ignore-scripts true
# We also recommend switching to pnpm where postinstall is disabled by default

It is also recommended of using Dev Container or at least run shell in container.

Install Multiocular:

npm install multiocular
# pnpm install multiocular

Update dependencies

# For npm
npx npm-check-updates
npm update

# For pnpm
pnpm update-interactive --latest
pnpm update

# For GitHub Actions
npx actions-up

Start web UI to review changes:

npx multiocular

Motivation

Current practice of treating dependencies and free black boxes is creating a lot of issues in our industries.

For instance, Supply chain attack when malware added to dependencies by stealing maintainer account. Recent, chalk/debug, nx, and GitHub Actions examples are showing that it is just beginning.

We suggest another open dependencies model, when team should track dependencies. It means less dependencies and more attention to it. But this is the only solution we see.