Avoid Using Dependencies with Known Vulnerabilities
Saturday, March 14, 2020
Avoid Using Dependencies with Known Vulnerabilities
This best practice seems obvious. While we should know that our applications may contain known vulnerabilities in our dependencies, what we really need to know is how to avoid using dependencies that contain a known vulnerability.
How?
There are several actions you can take to avoid vulnerabilities in your application's dependencies:
- Scan for known vulnerabilities using
npm audit
- Set a periodic release schedule
- Check for known vulnerabilities in your continuous integration pipeline
- Use automated dependency checking, and possible automated fixes
Here are a few resources to help:
Instructions
checkmark-circle
use npm audit
to review known vulnerabilities in a project's dependencies
error-circle
installing new dependencies that contain a known vulnerability
publishing a release that contains a vulnerability in a dependency
info-circle
follow OWASP guidelines
Code Examples
npm audit
$ npm audit
Have a question or comment?