Packages can be published in npm by anyone, so that can bring vulnerabilities in packages with it.
Thankfully, there are modules which can help you to check your project dependencies for known vulnerabilities.
These modules are retire.js and Node Security Platform.
Node Security Platform (NSP)
Continuous Security monitoring for your node apps
NSP is more preferable at this time. It provides a simple command line interface so that you can automate check for security vulnerabilities automatically.
You can run command > nsp check during the build and then it reports the number of vulnerabilities found, if any.
There are number of options when to run this and they all have their tradeoffs.
- The first option is to manually run node security check but that’s easy to forget
- The second option is run it as part of npm install but the packages you used may have security issues later. So merely check install isn’t sufficient.
- The third option is to run it during production build or if you are using github, automatically as part of your pull request but both of these options are bit too late because by then you have already used the package.
- The final option is to check it as part of npm install. This way each time you start development, the security status of you packages are checked. This does have downside of slow start a bit and requiring a network connection to perform the check but it has the advantage of notifying you quickly when a security issue exist.
Setting up Node Security Platform
To perform node security scanning, you can install node security project globally, so that you can run it directly on the command line.
To install globally, Type > npm install -g nsp
Once it is installed, just type > nsp check
It will show the known vulnerabilities for the node modules that you have added.
“Using Components with Known Vulnerabilities” is now a part of the OWASP Top 10 and insecure libraries can pose a huge risk for your webapp. The goal of Retire.js is to help you detect use of version with known vulnerabilities.
Retire.js has these parts:
- A command line scanner
- A grunt plugin
- A Chrome extension
- A Firefox extension
- Burp and OWASP Zap plugin
For more details. Visit here Retire JS