loading
loading
Static Code Analysis
Scanner that detects the use of JavaScript library versions with known vulnerabilities.
overview
retire-js answers one question across a codebase: are you shipping a JavaScript or Node library version with a published vulnerability? Using components with known vulnerabilities is its own entry on the OWASP Top 10, and one stale bundled library can expose an entire web app. retire-js fingerprints the libraries it finds, matches each version against a database of known-vulnerable releases, and reports the advisories behind every match.
Point --path at a folder and it walks the tree by file extension, so you can target plain .js or widen the set with --ext, while --ignore skips vendored paths you do not control. Output comes in text, JSON, jsonsimple, and several CycloneDX SBOM variants through --outputformat, which lets you feed results into a dashboard, a build gate, or a bill of materials. Set --severity and the process exits non-zero once a finding crosses the level you choose.
On Trickest, retire-js runs as a Static Code Analysis node that takes a project folder and writes the flagged components as a file and a folder. Wire it into a build or audit pipeline so dependency risk surfaces before a release ships.
use cases
Scan a project's JavaScript files and match each library version against the vulnerability database to flag the ones with published advisories, from bundled front-end scripts to node_modules.
Set --severity so the scan exits non-zero when it finds an issue at or above the level you pick, stopping a pipeline before a risky release ships.
Emit a CycloneDX format through --outputformat to generate a software bill of materials that records every JavaScript component and its known issues, optionally adding OSV advisories with --includeOsv.
Pass an --ignore path list or an --ignorefile to skip vendored or third-party directories so the report focuses on the libraries your project ships.
reference
| Name | Type | Flag | Description |
|---|---|---|---|
| path | FOLDER | --path | Folder to scan for JavaScript files. |
| ext | STRING | --ext | Comma-separated list of file extensions for JavaScript files. Default: js. |
| severity | STRING | --severity | Severity level at which the process fails: none, low, medium, high, critical. Default: none. |
| outputformat | STRING | --outputformat | Output format: text, json, jsonsimple, depcheck, and CycloneDX variants. |
| ignore | STRING | --ignore | Comma-delimited list of paths to ignore. |
| deep | BOOLEAN | --deep | Deep scan (slower and experimental). |
| includeOsv | BOOLEAN | --includeOsv | Include OSV advisories in the output. |
| nocache | BOOLEAN | --nocache | Do not use the local cache. |
Showing key inputs. retire-js exposes 15 inputs in total.
| Name | Type | Flag | Description |
|---|---|---|---|
| ext | STRING | --ext | Comma separated list of file extensions for JavaScript files. The default is "js". |
| deep | BOOLEAN | --deep | Deep scan (slower and experimental). |
| path | FOLDER | --path | Folder to scan for JavaScript files. |
| proxy | STRING | --proxy | Proxy url (http://some.host:8080). |
| cacert | FILE | --cacert | Use the specified certificate file to verify the peer used for fetching remote jsrepo/noderepo files. |
| colors | BOOLEAN | --colors | Enable color output (console output only). |
| ignore | STRING | --ignore | Comma delimited list of paths to ignore. |
| jsrepo | STRING | --jsrepo | Local or internal version of repo. Can be multiple comma separated. Default: central. |
| nocache | BOOLEAN | --nocache | Don't use local cache. |
| verbose | BOOLEAN | --verbose | Show identified files (by default only vulnerable files are shown). |
| insecure | BOOLEAN | --insecure | Enable fetching remote jsrepo/noderepo files from hosts using an insecure or self-signed SSL (TLS) certificate. |
| severity | STRING | --severity | Specify the bug severity level from which the process fails. Allowed levels none, low, medium, high, critical. Default: none. |
| ignorefile | FILE | --ignorefile | Custom ignore file, defaults to .retireignore / .retireignore.json. |
| includeOsv | BOOLEAN | --includeOsv | Include OSV advisories in the output. |
| outputformat | STRING | --outputformat | Valid formats: text, json, jsonsimple, depcheck (experimental), cyclonedx, cyclonedxJSON, cyclonedxJSON1_6, cyclonedxJSON1_6_VEX. |
example
# scan a web project, widen extensions, fail on high-severity findingsretire --path ./web/src --ext js,mjs --severity high --outputformat json --ignore node_modules,vendor/web/src/vendor/jquery-1.12.4.min.js ↳ jquery 1.12.4 has known vulnerabilities: severity: medium; CVE: CVE-2019-11358; https://github.com/advisories/GHSA-6c3j-c64m-qhgq ↳ jquery 1.12.4 has known vulnerabilities: severity: medium; CVE: CVE-2020-11022, CVE-2020-11023/web/src/vendor/angularjs-1.5.8.min.js ↳ angularjs 1.5.8 has known vulnerabilities: severity: high; CVE: CVE-2020-7676; summary: angular.js XSS via SVG usemap/web/src/vendor/bootstrap-3.3.7.min.js ↳ bootstrap 3.3.7 has known vulnerabilities: severity: medium; CVE: CVE-2018-14041; summary: XSS in data-targetguidance
Use Retire.js when your concern is vulnerable JavaScript and Node dependencies specifically. For multi-language dependency and SAST coverage, semgrep and trivy go wider. For secrets in JS rather than vulnerable versions, secretfinder is the right tool.
Pattern-based static analysis across many languages, including custom security rules.
Scans dependencies, containers, and IaC for known vulnerabilities across ecosystems.
Finds leaked secrets inside JavaScript files rather than vulnerable library versions.
faq
related
Find common security issues in Python code.
A source code scanner that reviews Ruby code for security issues.
Analyze big volumes of data in search of hardcoded secrets like keys and passwords.
Git ripper that can rip repositories even when directory browsing is turned off.
Check whether a Git repository pulls in Log4J, and list the files that use it.
Detect hardcoded secrets like passwords, API keys, and tokens in git repos.
A project folder feeds Retire.js, which matches each JavaScript library against the vulnerability database and writes the flagged components as a queryable output.
Facts on this page come from the live Trickest tool library.