From what I can glean from the docs,
The audit command submits a description of the dependencies configured in your project to your default registry and asks for a report of known vulnerabilities.
So there is an NPM registry out there, I assume the same one from which I am going to get packages with npm install, and along with the packages it contains security audit warnings. If so, how does one register these warnings?
The default repository for NPM installs is https://www.npmjs.com. They have a security policy, along with a specific guide to reporting that states:
If you find a security vulnerability in an npm package (either yours
or someone else’s), you can report it to the npm Security team to help
keep the Javascript ecosystem safe.
...
On the package page, click Report a vulnerability.
Related
up to date, audited 1446 packages in 7s
194 packages are looking for funding
run npm fund for details
6 high severity vulnerabilities
To address all issues (including breaking changes), run:
npm audit fix --force
Run npm audit for details.
Ideally, we should address these vulnerabilities, especially in stages like production, sensible workplaces, etc. However, often, you will have to address these vulnerabilities manually.
npm audit fix will try to "fix" what it can by performing some updates.
npm audit fix --force will try to go further in considering upgrading even between major semantic versions (2 to 3, for instance, instead of 2 to 2.1 if necessary)
It may not be enough. To be on the safer side, you look through every single module declared vulnerable to ponder eventual risks and how any issues can affect your project(s)
Keep in mind:
"npm" can find vulnerabilities absolutely at any time.
Therefore, if the developer has not sent a new version correcting the identified problem, you will have to:
Decide whether to use a new library.
Decide to downgrade or upgrade their libraries with the most negligible effect on your code.
Decide to fix the vulnerability yourself
Decide to wait for the author to fix the issue
Decide to implement your solution.
Decide to live with these vulnerabilities and likely address them before production.
npm audit monitors modules over time, so some vulnerabilities can still happen on perfectly thought-safe modules. Therefore, there is no 100% permanent fixing.
A way to have the list of problematic modules:
$> npm audit fix --dry-run --json
https://docs.npmjs.com/cli/v8/commands/npm-audit
I have been following codelab instructions to implement Real-time communication with WebRTC and while trying to run npm-install I am getting the following warnings.
npm WARN webrtc-codelab#0.0.1 No repository field.
npm WARN webrtc-codelab#0.0.1 No license field.
audited 52 packages in 0.81s
found 16 vulnerabilities (11 low, 1 moderate, 3 high, 1 critical)
run npm audit fix to fix them, or npm audit for details
Can someone help me with fixing this?
The first ones are because of the licence and repository fields of the package.json being empty, you can fill them using docs for licence and repository.
The latter ones are due to outdated dependencies used by the code sample, it is ok to ignore this warning for an educational project because the vulnerabilities often are not important if you are not planning to use the project on a production server. But if it is bothering you you can use npm audit fix as suggested by npm, it'll try to update dependencies if there are no breaking changes in the upgrade it might not succeed in doing so for some or all of those packages in which case you'll need to manually install the newer version of those packages but beware cause doing so COULD break the code sample to the point that it'll no longer work.
I am working on a react project and I am using various npm packages. Now there were 1002 vulnerable packages when I started fixing/updating my old packages. And at last this only 20 vulnerable packages were remained which were also very low priority.
But now again after 3 months the vulnerability has increase to 925 vulnerable packages. So my question is, when I am using packages.lock.json for installing a specific package version only. Then how the vulnerabilities increased. I mean is there any mechanism which npm follow before telling "this package is vulnerable." I want to know how npm check if this package is vulnerable or not. Even when it was fine before and I am using same package version with same node version as well.
npm as a package manager runs audit of the installed/installing dependencies to check for the vulnerabilities posted/reported on that particular NPM package you installed/installing. It list them out to notify/warn you about the problem you might encounter, using such packages.
It will be an API call from npm to the registry. Read further: docs.npmjs.com/cli/audit#description
One can manually audit its dependencies as well. using the following command:
npm audit
Make sure you are running this command in the same directory where your package-lock.json exists.
If you are using yarn as a package manager, you can run:
yarn audit
Here is a great explanation on npm vulnerability.
https://snyk.io/blog/understanding-filesystem-takeover-vulnerabilities-in-npm-javascript-package-manager/
NPM vulnerability check mainly depends on the version and last publish date of each packages.
I work in a banking domain company so here many link and websites are blocked. Currently I am working on a project where I am using react and Node.js as tech stack.
So whenever I want to install any new dependency or just npm install I get access problem.
Is there any other solution to download the dependencies from package.json file apart from npm install
It'll be really tough not having yarn or npm do dependency management for you but there are options.
I highly recommend you set up a private npm registry just for your company. There are many paid and free services that can do this as well as open source self-hosted solutions. Once set up, all you have to do is edit your npm or yarn configurations and you're good to go.
Here is a link with plenty of options to get this going. A few that come to mind of the top of my head are Artifactory and npm itself.
If none of these work for you, you can always just manually download npm packages from their Github repositories but this will be very tedious and time consuming (maybe you can write your custom package manager?) but I definitely don't recommend this route.
For example, when you do npm init and install express, you end up with a node_modules folder with 20 other folders in it.
I never ran into this issue... but isn't it something that may be a concern?
First, it's important to do our homework before installing a package.
Read the package's page on npmjs.com and look at who published the package, the number of versions and the number of weekly downloads. If these numbers are very low, I would pass or definitely inspect the source code.
Another thing to do is to pay attention when you type the package name, when you install. Typo squatting is possible and there are published packages which have names close to popular packages.
In terms of how secure is NPM (the registry), they do periodic penetration testing and outgoing code reviews. Also, they report vulnerabilities to package authors and handle vulnerabilities reports from other users. But, it's a continuous fight against spammers, malware, etc.
Commands you can run:
npm outdated (for locals) and npm outdated -g --depth=0 (for globals)
This will check which packages are outdated and it will list "Current Wanted Latest" versions for each outdated package.
npm audit
This will produce a report of security vulnerabilities with the affected package name, vulnerability severity and description, etc.
Also, npm audit automatically runs when you install a package with npm install.
npm audit fix
This automatically install compatible updates to vulnerable dependencies.
More:
(https://docs.npmjs.com/auditing-package-dependencies-for-security-vulnerabilities)
(https://www.youtube.com/watch?v=H48KuESn2sk)
When writing Node.js applications, ending up with hundreds or even thousands of dependencies can easily happen.
For example, if you depend on Express, you depend on 27 other modules directly, and of course on those dependencies' as well, so manually checking all of them is not an option!
The only option is to automate the update / security audit of your dependencies. For that there are free and paid options:
npm outdated
Trace by RisingStack
NSP
GreenKeeper
Snyk
Yea, it is def something to keep in mind. That being said, most of the time, you will be dealing with pretty popular libraries/packages that are safe to assume they are secure. However, if you DO need to download one that isn't super popular, just take a look at the source code.
Edit: A concern for security becomes more off an issue when you install packages globally. NEVER install a package globally that you have any doubts about.
Of course, there may be malicious code in it. It's just like installing a software, you do not install random modules. Just make sure the packages you install are trustworthy.