Category Archives: Node

Package Security

Packages can be published in npm by anyone, so that can bring vulnerabilities in packages with it.

Thankfully, there are modules which can help you to check your project dependencies for known vulnerabilities.

These modules are retire.js and Node Security Platform.

Node Security Platform (NSP)

Continuous Security monitoring for your node apps

NSP is more preferable at this time. It provides a simple command line interface so that you can automate check for security vulnerabilities automatically.

You can run command > nsp check during the build and then it reports the number of vulnerabilities found, if any.

There are number of options when to run this and they all have their tradeoffs.

  • The first option is to manually run node security check but that’s easy to forget
  • The second option is run it as part of npm install but the packages you used may have security issues later. So merely check install isn’t sufficient.
  • The third option is to run it during production build or if you are using github, automatically as part of your pull request but both of these options are bit too late because by then you have already used the package.
  • The final option is to check it as part of npm install. This way each time you start development, the security status of you packages are checked. This does have downside of slow start a bit and requiring a network connection to perform the check but it has the advantage of notifying you quickly when a security issue exist.

Setting up Node Security Platform

To perform node security scanning, you can install node security project globally, so that you can run it directly on the command line.

To install globally, Type > npm install -g nsp

Once it is installed, just type > nsp check

It will show the known vulnerabilities for the node modules that you have added.


“Using Components with Known Vulnerabilities” is now a part of the OWASP Top 10 and insecure libraries can pose a huge risk for your webapp. The goal of Retire.js is to help you detect use of version with known vulnerabilities.

Retire.js has these parts:

  • A command line scanner
  • A grunt plugin
  • A Chrome extension
  • A Firefox extension
  • Burp and OWASP Zap plugin

For more details. Visit here Retire JS

Package Management

Every language benefits from a standardized method for sharing code.
JavaScript provides multiple options.

Bower used to be a very popular option but more people have started moving to npm.
Bower became popular by supporting the entire web platform and packaging libraries in a format that didn’t require build step. Today, nearly everyone has a build step because they are transpiling, minifying, linting and so on.
So bower has become mostly irrelevant.

It stands for Node Package Manager. Node has grown wildly in popularity and bundlers continue to become powerful. Hence, it has become a de-facto standard for JavaScript package managers. Today, npm is clearly the most popular package manager for JavaScript.

It offers almost everything that you need.

It stands for JavaScript package manager. It is frictionless browser package management

  • It allows you to install packages from its own list of repositories as well as from other locations including npm, github and bower. It also bundles your code.
  • For development, load modules as separate files with ES6 and plugins compiled in the browser.
  • For production (or development too), optimize into a bundle, layered bundles or a self-executing bundle with a single command.

There are some other less popular options like

Jam is a package manager for JavaScript.

It has features like:

  • Manage dependencies
  • Fast and modular
  • Use with existing stack
  • Custom builds
  • Focus on size

volo is a tool which lets you quickly create projects, add libraries, and automate common tasks using node and JavaScript.

It creates browser-based, front-end projects from project templates, and add dependencies by fetching them from GitHub. Once your project is set up, automate common tasks.

Getting started with Node Package Manager

Creating package.json

To create a package.json run:
npm init

This will initiate a command line questionnaire that will conclude with the creation of a package.json in the directory you initiated the command.

Package.json file contents:

  • name: name of the project
  • version: initial version. Default 1.0.0
  • description: description of project
  • scripts: by default creates a empty test script. It helps to automate processes.
  • keywords: empty
  • author: whatever you provided the CLI
  • license: ISC
  • dependencies – Production dependencies
  • devDependencies – Development Dependencies
  • repository: will pull in info from the current directory, if present
  • bugs: will pull in info from the current directory, if present
  • homepage: will pull in info from the current directory, if present

Sample package.json

“name”: “Sample javascript project”,
“version”: “1.0.0”,
“description”: “Sample project in JavaScript”,
“scripts”: {
“start”: “npm start”,
“author”: “xyz”,
“license”: “MIT”,
“dependencies”: {
“favicon”: “0.0.2”,
“http”: “0.0.0”,
“jade”: “*”,
“mongojs”: “^2.4.0”,
“path”: “^0.12.7”,
“router”: “^1.1.4”
“devDependencies”: {
“babel-cli”: “6.16.0”,
“babel-core”: “6.17.0”,
“babel-loader”: “6.2.5”,
“babel-preset-latest”: “6.16.0”,
“babel-register”: “6.16.3”,
“chai”: “3.5.0”,
“eslint”: “3.8.1”,
“express”: “4.14.0”,
“jsdom”: “9.8.0”,
“localtunnel”: “1.8.1”,
“mocha”: “3.1.2”,
“nock”: “8.1.0”,
“npm-run-all”: “3.1.1”,
“nsp”: “2.6.2”,
“numeral”: “1.5.3”,
“style-loader”: “0.13.1”,
“surge”: “0.18.0”,
“webpack”: “1.13.2”,
“webpack-md5-hash”: “0.0.5”

To install the above packages:
Go to the path where package.json is present.

Type >npm install (Require internet connection).

Once this is done, you can see a node_modules folder under the same path containing all the above package along with the dependent modules.