Track issues from problematic npm packages

danielp

Daniel Parmenvik

Posted on August 24, 2021

Track issues from problematic npm packages

Regardless if you’re working as a developer for a small startup or a global enterprise - you’re up to the same challenge. You’re dependent on open source npm packages outside your control and you need a way to keep track of problems that arise.

Unfortunately the state of open source software is frequently changing 😫. Problematic versions are detected all the time, so there’s never a guarantee that the components you’re using today won’t cause any problems in the future. It’s like a stream of problems that pop up and require you attention.

This post describes how you can use the workflow in Bytesafe to keep track of detected problems in your private npm registries as well as what has been remediated.

Let's move on!

Access to the REAL truth by tracking issues across all registries

As you know, applications having hundreds of dependencies is a typical scenario. Keeping track of all problems that arise can be a challenge for any company and especially if you don’t have a structured process in place. Only scanning registries once in a while or periodically looking for new vulnerabilities or license compliance issues is not a sustainable solution to stay secure.

So what you probably want is an automated workflow where you get a good overview of all problems, right?

Why is this good?

Normally you only see known issues during package installation when using an npm client (npm, yarn, pnpm), but future problems are not detected unless you use another tool that allows tracking of problems and that notifies you when new problems are detected. Using Bytesafe, you get access to the real truth = the state of your registries. If you are currently not monitoring your packages and issues, then you’re being blind-folded for problems like new vulnerabilities that might impact your security.

Issues overview

The plugins and policies in Bytesafe continuously monitor actions made to your registries and scan your existing packages for potential problems. If anything is detected, issues will immediately be created for you, notifications will be sent out and from there the workflow is straight forward. This saves time which instead can be used to remediate issues!

The overview of issues can be filtered and if you prefer to search for a specific issue that is available as well.

Read more about Issue tracking

Issue metrics in the dashboards

The Bytesafe dashboards show metrics with detected issues grouped by severity level. The metrics are linked and give quick access to the issues filtered depending on what metric you clicked on.

Issue metrics in Dashboards

Track the remediation of open issues

Keeping your open source libraries up to date is key. Issues in Bytesafe contain relevant information on why an issue was created and notify you when something needs your attention.

Each issue is uniquely identified with a numeric identifier so that it is easy to refer to and share with others. All issues have a type, title, description, status and severity. If you decide to change severity levels, titles or descriptions you can do that by changing the values or editing the text.

Issues can be linked by referring to other issue IDs in comments. Bytesafe also keeps track of similar issues, for example other issues caused by the same security advisory in different registries.

Anyone interested in getting notifications for a particular issue can just add themselves as a watcher and stay updated.

Issue details

Track changes in the Activity log

From an audit point of view, development teams are expected to know when packages were added to a registry, when issues were detected, what apps were impacted and finally when the issues were remediated.

Bytesafe helps by tracking all updates and changes to package versions in the Activity log where it is easy to follow what actions have been made. This is often requested information by organizations that require traceability, such as regulated businesses.

Now you’ll quickly be able to give incident managers, risk officers, auditors and other stakeholders a fast response - no more digging in logs or similar.

Issues Activity log

All issues are shown as clickable badges on the package card as seen in the examples below.

Package card with Issues

Read more about Issue tracking

Being exposed to risks such as vulnerabilities and license compliance issues is inevitable when using open source components. That’s why we need proper tooling to help us keep track of issue remediation and to reduce risk exposure.

Hope you’ve learned how a tool like Bytesafe can help you in this regard.

Cheers! 👍

Follow Bytesafe on Twitter

💖 💪 🙅 🚩
danielp
Daniel Parmenvik

Posted on August 24, 2021

Join Our Newsletter. No Spam, Only the good stuff.

Sign up to receive the latest update from our blog.

Related