Retire.js

Retire.js is a dedicated vulnerability scanner for JavaScript libraries that detects known security vulnerabilities in front-end and Node.js dependencies. Created by Erlend Oftedal in 2013, Retire.js was one of the first tools specifically designed to address the problem of vulnerable JavaScript libraries in web applications. The tool maintains its own vulnerability database separate from the NVD, curated specifically for JavaScript libraries with detailed version ranges and vulnerability descriptions. Key scanning modes include: command-line scanning of local project files (scanning package.json, package-lock.json, yarn.lock, bower.json, and .min.js files for version extraction), web application scanning via browser extension (Chrome extension that scans loaded JavaScript resources in real-time as you browse, highlighting vulnerable libraries in the browser console with severity badges), Burp Suite and ZAP plugin integration for security testing workflows (scanning responses for known vulnerable JavaScript inclusions), and build pipeline integration via the command-line tool for CI/CD automation. The tool detects vulnerable versions of over 600 JavaScript libraries including jQuery, Angular, React, Vue, Bootstrap, Lodash, Moment.js, Axios, Socket.io, Express, Mongoose, Request, and many others. For each detected vulnerability, Retire.js provides: CVE identifiers, severity ratings (low, medium, high, critical), detailed descriptions of the vulnerability, affected version ranges, upgrade recommendations, links to original advisories and bug reports, and proof-of-concept information where available. The CLI tool outputs JSON, text, or cyclonedx format reports.