feat: add retire plugin

[cirex-web]

The purpose of the Retire plugin is to help detect known vulnerabilities with installed JS plugins and libraries so that you would presumably update the packages for better security.

Pros

Setup was pretty easy, since Retire provides a CLI tool. It also provides a grunt plugin that I gave up using after trying to set it up with the existing NodeBB grunt infrastructure, but realistically, it should be possible. It's still being reasonably maintained, and has been adopted by large open-source tools like Burp.

Cons

I think that although the intention of the Retire is good, the initial output may be a bit overwhelming. Furthermore, updating packages sometimes isn't a trivial task, as updates may have introduced breaking interface/API changes. I also can't seem to find their documentation? (outside of simple installation)

Example output from github actions, truncated:

Something like the Dependabot plugin may be better suited for this task, since it creates specific, actionable PRs that address each package vulnerability individually rather than just dumping all of the outdated packages at you at once.

---

Questions for part B:

1. What is the name and high-level description of what the tool does? Provide a link to its documentation/source.

Retire is a js package scanner that alerts developers of any outdated packages with known seucurity vulnerabilities. (https://retirejs.github.io/retire.js/) It is available as a command line tool and a grunt plugin, among others.

1. Is the tool used for static or dynamic analysis?

static analysis

1. What types of problems does this particular tool catch?

Known security vulnerabilities on packages installed with require.

1. What types of customization are possible or necessary?

the entire configuration options is as follows:

    retire: {
      js: ['app/src/*.js'], /** Which js-files to scan. **/
      node: ['node'], /** Which node directories to scan (containing package.json). **/
      options: {
         proxy: 'http://something.something:8080',
         verbose: true,
         packageOnly: true, 
         jsRepository: 'https://raw.github.com/RetireJS/retire.js/master/repository/jsrepository.json',
         nodeRepository: 'https://raw.github.com/RetireJS/retire.js/master/repository/npmrepository.json',
         outputFile: './retire-output.json',
         ignore: 'documents,java',
         /** list of files to ignore **/
         ignorefile: '.retireignore' //or '.retireignore.json'
      }
    }

1. How can/should this tool be integrated into a development process?

Likely as a check on every commit on every PR, since new vulnerabilities can show up anytime. It likely shouldn't be a blocking check (eg. should still pass even on alerts,) since there are a lot of existing errors as of now.

1. Are there many false positives? False negatives? True positive reports about things you don't care about?

By nature of the plugin, there shouldn't be any false positives. There can, of course, be false negatives - no warnings does not necessarily mean no vulnerabilities. The CVE system has also received a lot of criticism in the past few years for tracking a lot of useless true positive security vulnerabilties that won't ever occur in production environments.

[railway-app]

🚅 Deployed to the nodebb-spring-26-clean-cod-pr-61 environment in Clean Code Team (nodebb)

Service	Status	Web	Updated (UTC)
nodebb-spring-26-clean-code	◻️ Removed (View Logs)	Web	Mar 17, 2026 at 1:52 am