New Best Practice
Sign In

Avoid Using Dependencies with Known Vulnerabilities

Saturday, March 14, 2020

This best practice seems obvious. While we should know that our applications may contain known vulnerabilities in our dependencies, what we really need to know is how to avoid using dependencies that contain a known vulnerability.

How?

There are several actions you can take to avoid vulnerabilities in your application's dependencies:

  1. Scan for known vulnerabilities using npm audit
  2. Set a periodic release schedule
  3. Check for known vulnerabilities in your continuous integration pipeline
  4. Use automated dependency checking, and possible automated fixes

Here are a few resources to help:

Code Examples

$ npm audit

do: npm audit

Instructions

  • Do:

    use npm audit to review known vulnerabilities in a project's dependencies

  • Avoid:

    installing new dependencies that contain a known vulnerability

  • Avoid:

    publishing a release that contains a vulnerability in a dependency

  • Why:

    follow OWASP guidelines

Brian Love

Brian is a software engineer and Google Developer Expert in Web Technologies and Angular with a passion for learning, writing, speaking, teaching and mentoring. He regularly speaks at conferences and meetups around the country, and co-authored "Why Angular for the Enterprise" for O'Reilly. When not coding, Brian enjoys skiing, hiking, and being in the outdoors. Brian recently launched lookout.dev where you can find best practices and expert advice on topics ranging from TypeScript, Angular, React, Node.js and more.

Google Developers Expert

Discussions are healthy ❤️