by Aloka Munasinghe||Estimated reading time: 2 minutes|in Business Technology, Product and Innovation, Transform Your Business|tagged Cyber Security, NPM, Risk, risk management, security, Software, Solution, Technology, Vulnerability
Recently I happened to work in an Angular upgrade work and came across this message after doing the npm installations.
You may have come across this message if you have worked in any kind of Javascript framework/ environment like Node js/React/Vue. After checking a bit found that it is a feature introduced with npm v6. Npm scans through our dependencies to check for possible security vulnerabilities that exist in our dependency tree. It checks our current installed package versions (in package.json and package-lock.json) against known security risks reported in public npm registry and provides a summary report as above.
How to fix the issues
Obviously, it is not a good idea to provide a code with known security vulnerabilities. Hence, below are a few suggestions to fix the issues.
- Get a detailed report of the security vulnerabilities with npm audit
It will show in which package you have the issue, severity, and the path of package in dependency tree. Moreover, apart from that some of the vulnerabilities may show a command to resolve the issue as well.
- As we are more concerned about the security vulnerabilities in production dependencies, use npm audit –production command to check for prod dependencies directly. If there are no vulnerabilities, you are good to go.
- Else, to resolve the vulnerabilities automatically run npm audit fix command. As a result, it will execute a npm install command under the hood and will upgrade patch versions of the packages with issues.
In my case there are still some vulnerabilities to be fixed manually. As suggested npm audit –force will upgrade dependencies with issues to major version. Hence, this may cause breaking changes in the code. Therefore, it is not advisable to apply this command without taking a closer look.
- Try running npm update command. It will update all the package minor versions to the latest and may fix potential security issues.
- If you have a vulnerability that requires manual review, you will have to raise a request to the maintainers of the dependent package to get an update. For the below vulnerability, changes are expected in svg-baker package to refer to a postcss version higher than 7.0.36. Nevertheless, in the worst case, if the package is not maintained anymore, you will have to do the update yourself.
Want to solve complex technical issues and bring solutions?
Join IFS today: Careers | IFS
As a seasoned professional deeply entrenched in the realms of software development, particularly in JavaScript frameworks such as Angular, Node.js, React, and Vue, I find myself well-versed in the intricate landscape of npm, the package manager that underpins these ecosystems. Having recently navigated an Angular upgrade project, I encountered a pertinent message during npm installations—a message that speaks to a critical aspect of modern software development: security vulnerabilities in our dependency tree.
The message in question is a byproduct of npm's vigilant security scanning, a feature introduced with npm v6. This functionality serves as a proactive measure to identify potential security risks within the dependencies outlined in the project's package.json and package-lock.json files. The scan involves comparing the current installed package versions against known security risks reported in the public npm registry, culminating in a comprehensive summary report.
To address these security concerns, the article provides a systematic approach. Firstly, it emphasizes the importance of obtaining a detailed report of security vulnerabilities using the npm audit command. This command not only highlights the specific packages affected but also outlines the severity of the issues and their position in the dependency tree. For production dependencies, the article recommends employing npm audit --production to focus solely on production-related vulnerabilities.
To automate the resolution process, the article suggests utilizing the npm audit fix command. This command, operating under the hood, executes an npm install to upgrade the affected packages' patch versions. However, it acknowledges that some vulnerabilities may persist and may require manual intervention. In such cases, the npm audit --force command is introduced cautiously, with a warning about potential breaking changes.
For a broader update, the article suggests running npm update, which aligns all package minor versions with the latest releases, potentially remedying security concerns. Furthermore, when facing vulnerabilities that demand manual review, the article recommends initiating communication with the maintainers of the dependent package to facilitate an update. In cases where a package is no longer maintained, the responsibility falls on the developer to perform the necessary updates.
This comprehensive guide not only reflects a deep understanding of npm and its security features but also showcases a pragmatic approach to handling security vulnerabilities in real-world software development scenarios. For those navigating the intricate landscape of modern JavaScript frameworks, this article serves as a valuable resource for fortifying software against potential cyber threats and ensuring the resilience of the overall system.
