Using Vulnerable Libraries
Why is this important?โ
Most of the code for modern applications is coming from third-party libraries. This is great because it speeds up development. However, there is no guarantee that third-party libraries are secure and of high quality.
As a result, over 1500 vulnerabilities were reported in third-party Node.js packages.
Check out this video for a high-level explanation:
Updating Vulnerable librariesโ
Option A: Use npm auditโ
Ensure you have npm version 6.1.0 or higher
npm -v
6.1.0Change directory into the root of your repository
cd `name of repository`
Run npm audit fix
npm audit fix
Test to verify that the upgrade doesn't break the app
Ship it ๐ข and relax ๐ด
Option B: Manually update the packagesโ
- Look at the vulnerable package in the GuardRails PR comment
- Change the package.json to reflect that new version
- Test to verify that the upgrade doesn't break the app
- Ship it ๐ข and relax ๐ด
Option C: When no update is availableโ
- Look at the vulnerable package in the GuardRails PR comment
- If no update is available then you have 3 choices:
- Remove the package if it's not needed
- Replace the package with another one that doesn't contain vulnerabilities
- Take a closer look at the vulnerability details and create a PR patching it
- Test to verify that your actions don't break the app
- Ship it ๐ข and relax ๐ด
More information:โ
- OWASP TOP 10 Reference: Using Components with Known Vulnerabilities