GitHub recently introduced a useful new feature that displays a dependency graph of software projects. One of the most impressive aspects of this feature is its ability to flag dependencies with known vulnerabilities and notify the project administrator.
Security alerts are great for the developers of open source projects hosted on GitHub, but not especially useful for developers who might integrate vulnerable projects into their work, or for end-users whose eCommerce stores and websites depend on vulnerable software.
Once a library is included in a project, there can be a resistance to updating it, especially when the update might break existing functionality. Vulnerabilities remain because developers prioritize stability over security, or simply don’t think about it at all. Then there is the problem of site and app users who neglect to update even when developers have patched their software.
The GitHub Vulnerability Notifications are a helpful step in that direction, and so is a recent addition to Google’s Chrome Developer Tools. The Dev Tools include an audit tab that leverages a Google-built automated auditing tool called Lighthouse. It’s used to scan sites for performance problems, accessibility issues, and so on.
Lighthouse is also available as a command line tool and a Node module. At the time of writing, the vulnerability scanner is only available in the development version of Chrome, but it will be more widely available soon.