Reputation: 626
How can you make sure your npm dependencies are safe?
For example, when you do npm init and install express, you end up with a node_modules folder with 20 other folders in it.
I never ran into this issue... but isn't it something that may be a concern?
Upvotes: 3
Views: 3711
Answers (4)
Reputation: 11702
First, it's important to do our homework before installing a package.
Read the package's page on npmjs.com and look at who published the package, the number of versions and the number of weekly downloads. If these numbers are very low, I would pass or definitely inspect the source code.
Another thing to do is to pay attention when you type the package name, when you install. Typo squatting is possible and there are published packages which have names close to popular packages.
In terms of how secure is NPM (the registry), they do periodic penetration testing and outgoing code reviews. Also, they report vulnerabilities to package authors and handle vulnerabilities reports from other users. But, it's a continuous fight against spammers, malware, etc.
Commands you can run:
npm outdated(for locals) andnpm outdated -g --depth=0(for globals)
This will check which packages are outdated and it will list "Current Wanted Latest" versions for each outdated package.npm audit
This will produce a report of security vulnerabilities with the affected package name, vulnerability severity and description, etc.
Also, npm audit automatically runs when you install a package with npm install.
npm audit fix
This automatically install compatible updates to vulnerable dependencies.
More:
(https://docs.npmjs.com/auditing-package-dependencies-for-security-vulnerabilities) (https://www.youtube.com/watch?v=H48KuESn2sk)
Upvotes: 2
Reputation: 21
When writing Node.js applications, ending up with hundreds or even thousands of dependencies can easily happen. For example, if you depend on Express, you depend on 27 other modules directly, and of course on those dependencies' as well, so manually checking all of them is not an option!
The only option is to automate the update / security audit of your dependencies. For that there are free and paid options:
- npm outdated
- Trace by RisingStack
- NSP
- GreenKeeper
- Snyk
Upvotes: 1
Reputation: 4176
Yea, it is def something to keep in mind. That being said, most of the time, you will be dealing with pretty popular libraries/packages that are safe to assume they are secure. However, if you DO need to download one that isn't super popular, just take a look at the source code.
Edit: A concern for security becomes more off an issue when you install packages globally. NEVER install a package globally that you have any doubts about.
Upvotes: 0
Reputation: 9333
Of course, there may be malicious code in it. It's just like installing a software, you do not install random modules. Just make sure the packages you install are trustworthy.
Upvotes: 0
Related Questions
- How can we trust npm modules?
- NodeJS & NPM: Package Security
- NodeJs: How do I fix package vulnerabilities dependent on another npm package?
- How to fix vulnerability in npm dependencies?
- How to easily verify correct npm dependencies installed?
- What is the best way to check npm dependencies for security issues?
- npm install vulnaribilities are different for different projects
- Making sense of npm dependencies
- npm dependency management best practices
- npm: how are dependencies managed?