Node Package Manager (NPM) Audit and what that means!

salothom

Sarah Thompson

Posted on August 28, 2020

Node Package Manager (NPM) Audit and what that means!

If you work in web development, you likely use NPM or Node Package Manager all the time. It is a free public software registry - the largest in the world - that is accessible at the type of `npm install' in your command prompt so long as you have node.js installed already.

All npm packages & dependencies are defined in files inside your code named package.json. Then with these defined, npm can automatically install all needed dependencies for that code base - saving the developer lots of time.

What does it mean to Audit NPM?

Since npm manages all the dependencies of a project, this security audit does an assessment of those package dependencies for any possible security vulnerabilities. Scans and audits like this can help you to find and resolve known vulnerabilities in your code base's dependencies. This can prevent user data loss, outages, and the exposure of sensitive information/user information.

The scan submits a list of all the dependencies/versions in your project to your project's default registry and reports back security changes and upgrades that need to be made. It also brings back some instructions on how to make those changes. A cool thing about this security audit is that you can run specified command npm audit fix, and it can update your code automatically to resolve some of the security risks (some updates and code changes will have to be manually completed).

How do you run the NPM Audit?

First make sure you have a recent enough version of both node.js and npm on your machine. Next cd from the terminal into your code's folder that contains your package.json and run npm audit to get the base output of your project's vulnerabilities without fixing anything. You can also do npm audit --json to get those results in json format or npm audit --json | npm-audit-html to pipe it into an html.

Where to go from there?

To have the audit fix the known vulnerabilities - or at least the ones that it can automatically resolve - is easy as npm audit fix. The audit can also break down known vulnerabilities into --audit-level=(low|moderate|high|critical)] - with this information you can prioritize how you address and resolve the issues. The audit will also give you information on how to update/install the needed packages manually.

Issue types returned from the known vulnerability audit of your project's dependencies could include: Potential Command Injection, Prototype Pollution, Denial of Service, Extended Event Loop Blocking, Signature Malleability, Insufficient Entropy, Reflected Cross-Site Scripting & Arbitrary File Write.

This audit functionality for npm is definitely something to play around with, to figure out what formatting works best for you. You can look at all the different ways to use it on this documentation.

Like any security scan, running it once won't ever be enough since security standards are a moving target. Libraries and dependencies that used to be the standard of secure might now have become obsolete and have known security vulnerabilities. A good rule of thumb is to be doing scans like this at least once a season, possibly more depending on your release cadence. Along with this, you should be running regression testing on your project after the audit to ensure that the upgraded dependencies doesn't break any user flows.

More information on how to run a npm security audit as well as what that audit means.

💖 💪 🙅 🚩
salothom
Sarah Thompson

Posted on August 28, 2020

Join Our Newsletter. No Spam, Only the good stuff.

Sign up to receive the latest update from our blog.

Related