npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2024 – Pkg Stats / Ryan Hefner

scriptless-svg

v1.0.0

Published

A simple command-line tool for detecting SVG files that contain embedded scripts (eg. Javascript), which may be undesirable from a security perspective. Uses [detect-svg-scripts](https://www.npmjs.com/package/detect-svg-scripts) for scanning.

Downloads

2

Readme

scriptless-svg

A simple command-line tool for detecting SVG files that contain embedded scripts (eg. Javascript), which may be undesirable from a security perspective. Uses detect-svg-scripts for scanning.

If you want to integrate SVG scanning into a bigger application, you should use detect-svg-scripts directly instead. This package only contains a CLI tool for it.

License, donations, and other boilerplate

Licensed under either the WTFPL or CC0, at your choice. In practice, that means it's more or less public domain, and you can do whatever you want with it. Giving credit is not required, but still very much appreciated! I'd love to hear from you if this module was useful to you.

Creating and maintaining open-source modules is a lot of work. A donation is also not required, but much appreciated! You can donate here.

Screenshot

When running scriptless-svg on the Web Platform Tests for SVG:

Screenshot

Usage

scriptless-svg takes any amount of paths and/or globs as its arguments. If an argument doesn't exist as an exact path, it is assumed to be a glob (and will fail if not). You can include negated globs to exclude certain patterns.

Additionally, you can pass the --errors-only flag to omit all files from the output that passed the check successfully. This is especially recommended for CI setups where you are only interested in the failures.

Note that by default, only files that end in .svg are considered when you specify a directory path. If you wish to also scan files with a different extension, it must be an explicit glob.

The process will return exit code 1 if any scanned files failed the check (ie. contain scripts), or exit code 0 if all files passed.

Examples

Scan all *.svg files in the current directory and any subdirectories:

scriptless-svg

Scan all *.svg files in a given target directory and its subdirectories:

scriptless-svg /path/to/directory

Complex globs, with eg. exclusions (note that globs should be single-quoted to work correctly!):

scriptless-svg svg/ '!svg/scriptable/**/*.scriptable.svg'

Show only the files that failed the check (ie. contain scripts), not the ones that passed:

scriptless-svg --errors-only svg/