After running NPM install I saw some extra output that I didn’t notice before (no clue how long this feature exists).
This is the extra security related info I got:
added 1106 packages from 1280 contributors and audited 21854 packages in 116.791s
found 13 vulnerabilities (9 low, 4 high)
run `npm audit fix` to fix them, or `npm audit` for details
Nice feature. This warns me immediatelly if one of my packages has security vulnerabilities.
Let’s try ‘npm audit’:
SEMVER WARNING: Recommended action is a potentially breaking change
Low Regular Expression Denial of Service
Package debug
Dependency of karma [dev]
Path karma > socket.io > debug
More info https://nodesecurity.io/advisories/534
Low Regular Expression Denial of Service
Package debug
Dependency of karma [dev]
Path karma > socket.io > engine.io > debug
More info https://nodesecurity.io/advisories/534
Low Regular Expression Denial of Service
Package debug
Dependency of karma [dev]
Path karma > socket.io > socket.io-adapter > debug
More info https://nodesecurity.io/advisories/534
# Run npm update ws --depth 4 to resolve 1 vulnerability
High Denial of Service
Package ws
Dependency of protractor [dev]
Path protractor > webdriver-js-extender > selenium-webdriver > ws
More info https://nodesecurity.io/advisories/550
found 13 vulnerabilities (9 low, 4 high) in 21854 scanned packages
run `npm audit fix` to fix 1 of them.
12 vulnerabilities require semver-major dependency updates.
By running ‘npm audit fix’ I can ask npm to update the impacted packages as long as no breaking changes will happen(according to the semantic versioning rules).
More information: https://docs.npmjs.com/getting-started/running-a-security-audit