Poly4's Blog
Stay Safe with NPM: Top Tips for Managing Dependency Security

Photo by Scott Webb on Unsplash

Stay Safe with NPM: Top Tips for Managing Dependency Security

Alhazan Mubarak Olajuwon's photo
Alhazan Mubarak Olajuwon
·

5 min read

Table of contents

Introduction

97% of the code in a modern web application comes from npm. An individual developer is responsible only for the final 3% that makes their application unique and useful.

This quote from npm highlights a great aspect of modern web development: the extensive reliance on reusable code. Leveraging npm packages allows developers to focus on the core functionality of their applications, significantly speeding up development and enabling the creation of more sophisticated applications.

However, this heavy dependence on third-party code also introduces a downside. While developers can confidently ensure that their code is secure, they have little control over the remaining 97% of their codebase, which consists of various third-party dependencies. This means that potential vulnerabilities in these dependencies can compromise the overall security of an application.

Fortunately, the situation is not as bad as it might seem. npm and other tools continuously work to identify vulnerabilities in the vast library of packages available in the npm registry. They notify developers about the vulnerabilities and provide ways to fix them.

In this article, we will walk through the various strategies and tools we can use to identify and manage vulnerabilities in our applications that arise from npm dependencies.

npm audit

One of the most powerful tools for managing security in npm dependencies is the npm audit command. This command scans our project for vulnerabilities in the libraries we use and provides a detailed report.

When we run npm audit, it generates a list of all vulnerabilities. Here is an example of what the output will look like:

  1. Package: The name of the package containing the vulnerability. moment in this case

  2. Severity: The severity level, which can be critical, high, moderate, or low. We should prioritize addressing critical and high vulnerabilities as soon as possible.

  3. Description: a brief description of the vulnerability

  4. More info: A link to the detailed security report

  5. Fix: Instructions on how to fix the vulnerability, typically with npm audit or by updating the affected dependency.

In some cases, npm audit might return a large number of vulnerabilities, which can be overwhelming. To manage this, we can use the --audit-level tag to filter the results. For instance, npm audit --audit-level=moderate will only display vulnerabilities with a severity level of moderate or higher.

Once we have identified the vulnerabilities, we can address them by following the suggested fixes in the audit report. We can also use npm audit fix to automatically apply all the necessary updates to fix the vulnerabilities at once.

However, it is important to note that updating dependencies to newer versions may introduce breaking changes in our application. Therefore, we should carefully review and test the changes to ensure they do not negatively impact the project's functionality.

By regularly running npm audit and promptly addressing the reported vulnerabilities, we can significantly enhance the security of our applications and protect them from potential threats.

Snyk

Snyk is an open-source SaaS product designed to help developers keep their applications safe from vulnerabilities. It offers a comprehensive suite of tools to identify and fix security issues in your projects.

To use Snyk in our project, we start by installing the Snyk CLI globally using the following command:

npm install -g snyk

After installation, we authenticate our account by running:

snyk auth

This command will open a browser window where you can log in to your Snyk account.

To get vulnerabilities in our projects, we run snyk test in the root folder of our npm project. This will list a comprehensive report of all vulnerabilities in the project. The report will be grouped into two sections:

  1. Vulnerabilities that can be fixed by upgrading the dependency.

  2. Vulnerabilities that can't be fixed by upgrading a direct dependency.

We can then follow the upgrade suggested to fix the vulnerability. we can also open the link in each issue to read more about the vulnerability.

Just like npm audit, updating dependencies to newer versions may introduce breaking changes in our application. Therefore, we should carefully analyze the version upgrades being made. Snyk will also warn us in the CLI if there are any potential breaking changes.

Continuous Vulnerability Management

We have learned two different approaches to managing vulnerabilities in our npm dependencies: npm audit and Snyk. But the question arises: how frequently should these checks be done, and when? Different teams have different approaches to this.

Some teams might set up a recurring schedule to check for vulnerabilities, such as every week or every month. This ensures that security checks are performed regularly and new vulnerabilities are addressed promptly.

Another approach is to integrate npm audit or snyk test into our CI(Continous Integration) pipeline. This way, vulnerabilities are checked whenever the application is built. To avoid delaying deployments for every vulnerability, it might be helpful to configure these checks to only look for high-severity vulnerabilities.

Additionally, we can set up monitoring with Snyk and get notified in our workspace when there is a new vulnerability. This ensures that we are immediately aware of any security issues as they arise. This guide explains how to set it up for Slack.

Ultimately, the approach that will be taken will be best determined by the project's needs and the team's structure.

Conclusion

In this article, we have explored two effective methods for managing security vulnerabilities in npm dependencies: npm audit and Snyk. With these tools, we can proactively identify and address potential security issues.

Regular vulnerability checks, whether through scheduled scans, CI pipeline integration, or real-time monitoring, are crucial for maintaining the security of our applications. Each approach offers unique benefits and can be tailored to fit the team's needs.

Thank you for reading

I appreciate the time we spent together. I hope this content will be more than just text. Connect with me on Linkedin to stay updated and subscribe to my YouTube channel for video tutorials. I look forward to your thoughts in the comments.

npmSoftware EngineeringSecurity