Skip to main content

Using Vulnerable Libraries

Why is this important?โ€‹

Most of the code for modern applications is coming from third-party libraries. This is great because it speeds up development. However, there is no guarantee that third-party libraries are secure and of high quality.

As a result, over 1500 vulnerabilities were reported in third-party Node.js packages.

Check out this video for a high-level explanation:

Using Known Vulnerable Components

Updating Vulnerable librariesโ€‹

Option A: Use npm auditโ€‹

  1. Ensure you have npm version 6.1.0 or higher

    npm -v
    6.1.0
  2. Change directory into the root of your repository

    cd `name of repository`
  3. Run npm audit fix

    npm audit fix
  4. Test to verify that the upgrade doesn't break the app

  5. Ship it ๐Ÿšข and relax ๐ŸŒด

Option B: Manually update the packagesโ€‹

  1. Look at the vulnerable package in the GuardRails PR comment
  2. Change the package.json to reflect that new version
  3. Test to verify that the upgrade doesn't break the app
  4. Ship it ๐Ÿšข and relax ๐ŸŒด

Option C: When no update is availableโ€‹

  1. Look at the vulnerable package in the GuardRails PR comment
  2. If no update is available then you have 3 choices:
    • Remove the package if it's not needed
    • Replace the package with another one that doesn't contain vulnerabilities
    • Take a closer look at the vulnerability details and create a PR patching it
  3. Test to verify that your actions don't break the app
  4. Ship it ๐Ÿšข and relax ๐ŸŒด

More information:โ€‹