This is not a new problem, but it’s one that’s been exacerbated in recent months with the increased prevalence of supply chain attacks. Criminals seek out vulnerable software projects in the knowledge that the code is almost always installed without a developer ever looking at it. However, there are tools to help developers and server administrators to identify security risks in software dependencies.
That’s useful when adding new dependencies, but what about projects with an established set of dependencies? The new npm audit command recursively reviews a project’s dependency tree, highlighting potential vulnerabilities and offering suggestions for secure package versions that can replace the affected code.
In NPM 6.1, this functionality was further extended with the addition of npm audit fix, which acts on the information in the audit reports, automatically installing secure versions of vulnerable packages without installing packages with breaking changes.
GitHub Security Alerts
If you use GitHub to version control your projects, you can take advantage of the platform’s built-in security alerts. GitHub tracks vulnerabilities published on the Common Vulnerabilities and Exposures (CVE) List. When security alerts are activated, GitHub identifies repositories that use software for which there is a vulnerability record, sending alerts to the repository owner.
It should be stressed that neither of these methods is foolproof. If a vulnerability isn’t included in a database — which is, by definition, the case for zero-day vulnerabilities — NPM and GitHub can’t tell you about it. Vulnerability notification systems aren’t a replacement for diligence when choosing dependencies for your project. But given the complexity of modern dependency trees and the need to trust external software, the tools we’ve discussed can catch vulnerabilities that would otherwise put users and data at risk.