DEV Community

Dragoljub Bogićević
Dragoljub Bogićević

Posted on

npm - are your dependencies vulnerable

TL;DR

npm audit found 936 vulnerabilities in my project.
npm audit fix fixed 929 of 936 vulnerabilities, others require manual review. 😎 👌

As developers we are using 3rd party dependencies all the time, and why would not we, right? But, are we aware of our dependencies code base, are we sure if they are following best practices especially regarding security? In most cases we are not...

Luckily, we can utilize npm audit command to help us with vulnerabilities. Down bellow you can see part of package.json of project that I am working on for several months now, project is not still in production so I did not check dependencies since project started (bad practice, I know...).

"dependencies": {
    "@angular/animations": "~8.0.1",
    "@angular/cdk": "~8.2.3",
    "@angular/common": "~8.0.1",
    "@angular/compiler": "~8.0.1",
    "@angular/core": "~8.0.1",
    "@angular/forms": "~8.0.1",
    "@angular/material": "^8.2.3",
    "@angular/platform-browser": "~8.0.1",
    "@angular/platform-browser-dynamic": "~8.0.1",
    "@angular/platform-server": "~8.0.1",
    "@angular/router": "~8.0.1",
    "@ngrx/effects": "^8.2.0",
    "@ngrx/entity": "^8.2.0",
    "@ngrx/router-store": "^8.2.0",
    "@ngrx/store": "^8.2.0",
    "@ngrx/store-devtools": "^8.2.0",
    "@nguniversal/express-engine": "^8.1.1",
    "@nguniversal/module-map-ngfactory-loader": "8.1.1",
    "@ngx-translate/core": "^11.0.1",
    "@ngx-translate/http-loader": "^4.0.0",
    "bootstrap-4-grid": "^3.1.0",
    "express": "^4.15.2",
    "guid-typescript": "^1.0.9",
    "hammerjs": "^2.0.8",
    "lodash": "^4.17.15",
    "ng-click-outside": "^5.1.1",
    "ng-svg-icon-sprite": "^1.7.0",
    "ng2-datepicker": "^3.1.1",
    "ngx-device-detector": "^1.3.19",
    "ngx-slimscroll": "^7.1.0",
    "rxjs": "~6.4.0",
    "saturn-datepicker": "^8.0.1",
    "stacktrace-js": "^2.0.0",
    "tslib": "^1.9.0",
    "underscore": "^1.9.1",
    "zone.js": "~0.9.1"
  },
  "devDependencies": {
    "@angular-devkit/build-angular": "^0.901.1",
    "@angular/cli": "~8.0.4",
    "@angular/compiler-cli": "~8.0.1",
    "@angular/language-service": "~8.0.1",
    "@compodoc/compodoc": "^1.1.10",
    "@ngrx/schematics": "^8.2.0",
    "@types/jasmine": "~3.3.8",
    "@types/jasminewd2": "~2.0.3",
    "@types/node": "~8.9.4",
    "codelyzer": "^5.0.0",
    "commit-message-validator": "^0.1.11",
    "husky": "^3.0.8",
    "jasmine-core": "~3.4.0",
    "jasmine-spec-reporter": "~4.2.1",
    "karma": "~4.1.0",
    "karma-chrome-launcher": "^2.2.0",
    "karma-coverage-istanbul-reporter": "~2.0.1",
    "karma-jasmine": "~2.0.1",
    "karma-jasmine-html-reporter": "^1.4.0",
    "prettier": "^1.18.2",
    "pretty-quick": "^1.11.1",
    "protractor": "~5.4.0",
    "puppeteer": "^2.1.1",
    "svg2sprite-cli": "2.0.0",
    "ts-loader": "^5.2.0",
    "ts-node": "~7.0.0",
    "tslint": "~5.15.0",
    "typescript": "~3.4.3",
    "webpack-bundle-analyzer": "^3.6.1",
    "webpack-cli": "^3.1.0"
  }

After executing npm audit command this is the shorter version of an output:

found 936 vulnerabilities (908 low, 12 moderate, 16 high) in 26333 scanned packages
  run `npm audit fix` to fix 929 of them.
  1 vulnerability requires semver-major dependency updates.
  6 vulnerabilities require manual review. See the full report for details.

As you can see, 936 vulnerabilities, the results are not great at all. So after running npm audit fix this is the outcome:

updated 4 packages in 19.129s
fixed 929 of 936 vulnerabilities in 26333 scanned packages
  6 vulnerabilities required manual review and could not be updated
  1 package update for 1 vuln involved breaking changes
  (use `npm audit fix --force` to install breaking changes; or refer to `npm audit` for steps to fix these manually)

Almost everything is fixed, nice.

We all know that ensuring that dependencies do not contain any known security vulnerabilities is very important for the overall security. Solution described above is one way to do it, but it still requires some kind of manual work.

Much better way to stay secure and up-to-date is to automate process by integrating tools like Dependabot or Snyk - they will check your dependencies, check possible vulnerabilities and then create new pull request with updates, after what you need to check everything and merge pull request.

Thank you for reading!

Top comments (2)

Collapse
 
danielp profile image
Daniel Parmenvik

Great that you highlight the importance of making sure your dependencies are good to use (and there are often many...).

You might also want to check out Bytesafe (docs.bytesafe.dev/getting-started/). Our approach is to combine and scan existing packages for vulnerabilities (and notify you if any are found) and also to work as a dependency firewall to be able block package versions with known vulnerabilities.

Collapse
 
darthhater profile image
Jeffry Hesse (he/him)

You might take a look at this project: github.com/sonatype-nexus-communit...

There's a plethora of JS scanners out there, we built AuditJS to try and give a developer as much flexibility as possible, and provide the results directly in their workflow so you anyone can access the information.