Avoid Using Dependencies with Known Vulnerabilities
Saturday, March 14, 2020
Avoid Using Dependencies with Known Vulnerabilities
This best practice seems obvious. While we should know that our applications may contain known vulnerabilities in our dependencies, what we really need to know is how to avoid using dependencies that contain a known vulnerability.
How?
There are several actions you can take to avoid vulnerabilities in your application's dependencies:
- Scan for known vulnerabilities using
npm audit - Set a periodic release schedule
- Check for known vulnerabilities in your continuous integration pipeline
- Use automated dependency checking, and possible automated fixes
Here are a few resources to help:
Instructions
use npm audit to review known vulnerabilities in a project's dependencies
installing new dependencies that contain a known vulnerability
publishing a release that contains a vulnerability in a dependency
follow OWASP guidelines
Code Examples
npm audit
$ npm auditI am a software engineer and Google Developer Expert in Web Technologies and Angular with a passion for learning, writing, speaking, teaching and mentoring. I regularly speaks at conferences and meetups around the country, and co-authored "Why Angular for the Enterprise" for O'Reilly. When not coding, I enjoy skiing, hiking, and being in the outdoors. I started lookout.dev to break down the barriers of learning in public. Learning in public fosters growth - for ourselves and others.
Have a question or comment?