Using Vulnerable Libraries

Why is this important?

Most of the code for modern applications is coming from third-party libraries. This is great because it speeds up development. However, there is no guarantee that third-party libraries are secure and of high quality.

As a result, over 1500 vulnerabilities were reported in third-party Node.js packages.

Check out this video for a high-level explanation:

Updating Vulnerable libraries

Option A: Use npm audit

Ensure you have npm version 6.1.0 or higher
```
npm -v
6.1.0
```
Change directory into the root of your repository
```
cd `name of repository`
```
Run npm audit fix
```
npm audit fix
```
Test to verify that the upgrade doesn't break the app
Ship it 🚢 and relax 🌴

Option B: Manually update the packages

Look at the vulnerable package in the GuardRails PR comment
Change the package.json to reflect that new version
Test to verify that the upgrade doesn't break the app
Ship it 🚢 and relax 🌴

Option C: When no update is available

Look at the vulnerable package in the GuardRails PR comment
If no update is available then you have 3 choices:
- Remove the package if it's not needed
- Replace the package with another one that doesn't contain vulnerabilities
- Take a closer look at the vulnerability details and create a PR patching it
Test to verify that your actions don't break the app
Ship it 🚢 and relax 🌴

More information:

OWASP TOP 10 Reference: Using Components with Known Vulnerabilities

Why is this important?​

Updating Vulnerable libraries​

Option A: Use npm audit​

Option B: Manually update the packages​

Option C: When no update is available​

More information:​