00

Avoid Using Dependencies with Known Vulnerabilities

Saturday, March 14, 2020

This best practice seems obvious. While we should know that our applications may contain known vulnerabilities in our dependencies, what we really need to know is how to avoid using dependencies that contain a known vulnerability.

How?

There are several actions you can take to avoid vulnerabilities in your application's dependencies:

  1. Scan for known vulnerabilities using npm audit
  2. Set a periodic release schedule
  3. Check for known vulnerabilities in your continuous integration pipeline
  4. Use automated dependency checking, and possible automated fixes

Here are a few resources to help:

Instructions

Do

use npm audit to review known vulnerabilities in a project's dependencies

Avoid

installing new dependencies that contain a known vulnerability

publishing a release that contains a vulnerability in a dependency

Why

follow OWASP guidelines

Code Examples

npm audit

$ npm audit
Brian Love

I am a software engineer and Google Developer Expert in Web Technologies and Angular with a passion for learning, writing, speaking, teaching and mentoring. I regularly speaks at conferences and meetups around the country, and co-authored "Why Angular for the Enterprise" for O'Reilly. When not coding, I enjoy skiing, hiking, and being in the outdoors. I started lookout.dev to break down the barriers of learning in public. Learning in public fosters growth - for ourselves and others.

Google Developers Expert

Discussions are healthy ❤️