Wednesday, May 30, 2018

Running security audits using NPM audit

After running NPM install I saw some extra output that I didn’t notice before (no clue how long this feature exists).

This is the extra security related info I got:

added 1106 packages from 1280 contributors and audited 21854 packages in 116.791s

found 13 vulnerabilities (9 low, 4 high)

  run `npm audit fix` to fix them, or `npm audit` for details

clip_image002

Nice feature. This warns me immediatelly if one of my packages has security vulnerabilities.

Let’s try ‘npm audit’:

SEMVER WARNING: Recommended action is a potentially breaking change

  Low             Regular Expression Denial of Service

  Package         debug

  Dependency of   karma [dev]

  Path            karma > socket.io > debug

  More info       https://nodesecurity.io/advisories/534

  Low             Regular Expression Denial of Service

  Package         debug

  Dependency of   karma [dev]

  Path            karma > socket.io > engine.io > debug

  More info       https://nodesecurity.io/advisories/534

  Low             Regular Expression Denial of Service

  Package         debug

  Dependency of   karma [dev]

  Path            karma > socket.io > socket.io-adapter > debug

  More info       https://nodesecurity.io/advisories/534

# Run  npm update ws --depth 4  to resolve 1 vulnerability

  High            Denial of Service

  Package         ws

  Dependency of   protractor [dev]

  Path            protractor > webdriver-js-extender > selenium-webdriver > ws

  More info       https://nodesecurity.io/advisories/550

found 13 vulnerabilities (9 low, 4 high) in 21854 scanned packages

  run `npm audit fix` to fix 1 of them.

  12 vulnerabilities require semver-major dependency updates.

By running ‘npm audit fix’ I can ask npm to update the impacted packages as long as no breaking changes will happen(according to the semantic versioning rules).

More information: https://docs.npmjs.com/getting-started/running-a-security-audit

No comments: