Retire.js is a command line scanner that helps you identify dependencies with known vulnerabilites in your application. Using the provided Grunt plugin you can easily include Retire.js into your build process. Retire.js also provides a chrome extension allowing you to detect libraries while surfing your website.

To detect a given version of a given component, Retire.js uses filename or URL. If that fails, it will download/open the file and look for specific comments within the file. If that also fails, there is the possibility to use hashes for minified files. And if that fails as well, the Chrome plugin will run code in a sandbox to try to detect the component and version. This last detection mechanims is not available in the command line scanner, as running arbitrary JavaScript-files in the node-process could have unwanted consequences. If anybody knows of a good way to sandbox the code on node, feel free to register and issue or contribute.

It's important to note that even though your site is using a vulnerable library, that does not necessarily mean your site is vulnerable. It depends on whether and how your site exercises the vulnerable code. That said, it's better to be safe than sorry.

Download Retire.js