惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

F
Full Disclosure
WordPress大学
WordPress大学
小众软件
小众软件
Cloudbric
Cloudbric
AWS News Blog
AWS News Blog
腾讯CDC
量子位
人人都是产品经理
人人都是产品经理
大猫的无限游戏
大猫的无限游戏
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
V
Vulnerabilities – Threatpost
Scott Helme
Scott Helme
Hugging Face - Blog
Hugging Face - Blog
博客园_首页
C
CXSECURITY Database RSS Feed - CXSecurity.com
The Hacker News
The Hacker News
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
IT之家
IT之家
Jina AI
Jina AI
Attack and Defense Labs
Attack and Defense Labs
S
SegmentFault 最新的问题
Simon Willison's Weblog
Simon Willison's Weblog
The Cloudflare Blog
阮一峰的网络日志
阮一峰的网络日志
T
Tailwind CSS Blog
Last Week in AI
Last Week in AI
博客园 - 【当耐特】
Google Online Security Blog
Google Online Security Blog
美团技术团队
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
V
Visual Studio Blog
罗磊的独立博客
L
LINUX DO - 最新话题
博客园 - Franky
博客园 - 叶小钗
Apple Machine Learning Research
Apple Machine Learning Research
The Last Watchdog
The Last Watchdog
J
Java Code Geeks
AI
AI
C
Cisco Blogs
酷 壳 – CoolShell
酷 壳 – CoolShell
C
Cyber Attacks, Cyber Crime and Cyber Security
Cisco Talos Blog
Cisco Talos Blog
博客园 - 三生石上(FineUI控件)
雷峰网
雷峰网
Help Net Security
Help Net Security
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
云风的 BLOG
云风的 BLOG
I
Intezer
S
Securelist

NodeJS Security & NodeJS Secure Coding's Blog

Hardening Your npm and pnpm Configs in the Age of Shai-Hulud Argument Injection vulnerability in git-blame@1.4.0 Argument Injection vulnerability in `gits@0.1.8` Command Injection vulnerability in `@fab1o/git@1.4.0` Command Injection vulnerability in `git-contributors` via unsanitized CLI arguments Command Injection vulnerability in `git-q@0.0.3` Command injection vulnerability via unsanitized CLI arguments in touxing/fast-git-clone Command Injection vulnerability in `willitmerge@0.2.1` A Directory Traversal Vulnerability I found in Mastra AI Frameworks MCP Server Mastering NPX: A Cheatsheet for npm and Node.js Power Users Mitigate Supply Chain Security with DevContainers and 1Password for Node.js Local Development The Tale of the Vulnerable MCP Database Server Bad Security Defaults in Mastra AI Frameworks Templates SQL Injection and Bypassing "Read-Only" Mode in Xata's MCP Server Security Advisory for qix npm supply-chain compromise affecting debug and billions of weekly download users How to Mitigate SQL Bypass in MCP Servers Enhancing MCP Server Security: A Guide to Using execFile Argument Injection Vulnerability in ggit How to Bypass Access Control in PostgreSQL in Simple PSQL MCP Server for SQL Injection Command Injection Flaws in ggit: Unveiling a Vulnerability Command Injection Vulnerability in Create MCP Server STDIO Tool Exposes System Monitoring Functions GitHub Kanban MCP Server Command Injection Vulnerability Threatens Developer Workflows Critical Command Injection Flaw in iOS Simulator MCP Server Exposes Development Environments Command Injection Vulnerability Discovered in Codehooks MCP Server: A Critical Security Analysis SSRF Shenanigans in safe-axios: Redirects Open the Backdoor SSRF Vulnerability in safe-axios: Unintended Public Address Classification Bypassing SSRF Safeguards in ssrfcheck: A Case of Incomplete Denylists Don't Be Fooled by Multicast, SSRF Bypass in private-ip Node.js Authentication from Lucia to Better Auth Bypassing SSRF Protection in nossrf: When Your Safeguards Become Loopholes Vue CLI Security Fix to Mitigate NPM Binary Planting Node.js API Security Vulnerabilities with Path Traversal in files-bucket-server Will You Accept These GPT 4o Secure Coding Recommendations? Command Injection Vulnerability in interactive-git-checkout npm package An Introduction to SSRF Bypasses and Denylist Failures Disclosing a Command Injection Vulnerability in `git-checkout-tool` Prisma Raw Query Leads to SQL Injection? Yes and No Flawed Git Promises Library on npm Leads to Command Injection Vulnerability Regex Gone Wrong: How parse-duration npm Package Can Crash Your Node.js App How I found an XSS in the Nuxt MDC Library for Markdown Content Holes in the Safety Net: Bypassing SSRF Protection in safe-axios How to Parse URLs from Markdown to HTML Securely? NPM Ignore Scripts Best Practices as Security Mitigation for Malicious Packages Where to find npm vulnerabilities? How to Hunt for IDOR Vulnerabilities To Exploit Security Misconfiguration? How to Avoid JWT Security Mistakes in Node.js Can a Node.js Secure Code Review Find Future Vulnerabilities? The Okta bcrypt Security Incident and The Bun vs Node.js Angle in Secure By Design NodeJS Path Traversal Vulnerability Scanner Do not use secrets in environment variables and here's how to do it better How to use yarn audit Raw SQL Queries are Actually Better for Security Than ORMs? Node API Security Is Node.js Secure? URL Regex Validation: what can go wrong? Uncovering a Prototype Pollution Regression in the core Node.js project Deno CLI Vulnerability Repeats npm mistakes: CVE-2024-37150 Security skills for JavaScript developers Understanding and Preventing Prototype Pollution in Node.js How to protect against a security breach in React Server Components IDOR Vulnerability: What is it and how to prevent it? The security vulnerability of serving images via a route as opposed to static middleware in Node.js Why is it considered a bad practice to write raw SQL commands? JS Security Concepts for JavaScript Developers Secure Coding Practices in Node.js Against Path Traversal Vulnerabilities Secure JavaScript Coding Practices Against Command Injection Vulnerabilities To IDOR or Not to IDOR: Insecure Direct Object Reference in JavaScript Applications Explained npm vulnerabilities: reviewing the security of your dependencies Disclosing code injection vulnerabilities in safe-eval-2 npm package Introducing Node.js Security Permissions Model, Threat Model, and Security Releases Common Node.js Security Issues and How to Mitigate Them How JavaScript developers should embrace npm security The XZ backdoor CVE-2024-3094: a JavaScript perspective Node.js Security Best Practices The Case for Node.js Secure Configuration Protecting Against Common Node.js Vulnerabilities Input Validation Security Best Practices for Node.js A Node.js Vulnerability Scanner to Avoid Security Risks of EOL Runtime Versions JavaScript Security Issues in Node.js Applications OWASP Node.js Authentication, Authorization and Cryptography Practices OWASP Node.js Best Practices Guide Secure JavaScript Coding to Avoid Insecure Direct Object References (IDOR) North Korea malware on npm and Ledger connect-kit crypto heist 10 Best Practices for Secure Code Review of Node.js code Node.js and OWASP Top Ten Command Injection: Don't Let Your App Go 'BOOM' Secure Code Review Tips to Defend Against Vulnerable Node.js Code Destroyed by Dashes: How Two Hyphens Cause Argument Injection Vulnerability in blamer npm Package Securing Your Node.js Apps by Analyzing Real-World Command Injection Examples An Introduction to Command Injection Vulnerabilities in Node.js and JavaScript
How to use npm audit
2024-10-02 · via NodeJS Security & NodeJS Secure Coding's Blog

The npm package manager has a built-in flag called audit to scan for vulnerabilities in your project’s dependencies and the npm audit command is likely a common CI step for many. How to use npm audit, what are some power-user tips for it, what are the common issues with it and what do I recommend to adopt for a good security posture in your project? Let’s dive in.

The npm audit command was initially added with npm@6 and allowed developers to run a security scan of their direct and transitive dependencies for public and known vulnerabilities in the npm ecosystem. Back then, npm was self-directed and the audit command was a wrapper around npm’s own vulnerability database. With the GitHub acquisition, npm audit now uses the GitHub Advisory Database, which is a superset of the npm database and includes vulnerabilities from other ecosystems like RubyGems, PyPI, and others.

How to use npm audit

To run an audit, you can simply run npm audit in your project’s root directory. This will scan your project’s dependencies and print out a summary of the vulnerabilities found.

In fact, you’ve probably seen a summary of the npm audit command before when you installed packages in your npm project, like this:

$ npm install <package-name>
npm WARN <package-name> <version> requires a peer of <peer-dependency> but none is installed. You must install peer dependencies yourself.
+ <package-name>@<version>
25 vulnerabilities (2 moderate, 23 high)
To address issues that do not require attention, run:
  npm audit fix

What you see there is that the npm package manager is already running an explicit scan of the dependency tree after you’ve installed a new package. Of course, if a dependency is malicious, then this is already too-late in most cases because the package has probably already been installed, executed and done its harm, but we won’t get into that here if you are curious though, I highly recommend you take a look at my proactive security CLI tool npq which shows you security information BEFORE YOU INSTALL A PACKAGE. Genius, right? I know 😎.

So back to npm audit, the basic use in a given project is indeed as simple as running npm audit and you’ll get a summary of the vulnerabilities found in your project’s dependencies:

$ npm audit <package@version>
# npm audit report
braces  <3.0.3
Severity: high
Uncontrolled resource consumption in braces - https://github.com/advisories/GHSA-grv7-fg5c-xmjg
fix available via `npm audit fix`
node_modules/braces

If you want to see more details, you can run npm audit --json to get a JSON output of the vulnerabilities found (handy if you’re building some custom security report). If you want to see the vulnerabilities in a tree format, you can run npm audit --parseable to get a tree view of the vulnerabilities.

Downsides of npm audit and how to address them

Let’s see the full report of the above npm audit command:

$ npm audit <package@version>
# npm audit report
braces  <3.0.3
Severity: high
Uncontrolled resource consumption in braces - https://github.com/advisories/GHSA-grv7-fg5c-xmjg
fix available via `npm audit fix`
node_modules/braces
fast-xml-parser  <4.4.1
Severity: high
fast-xml-parser vulnerable to ReDOS at currency parsing - https://github.com/advisories/GHSA-mpg4-rc92-vx8v
fix available via `npm audit fix`
node_modules/fast-xml-parser
html-minifier  *
Severity: high
kangax html-minifier REDoS vulnerability - https://github.com/advisories/GHSA-pfq8-rq6v-vf5m
No fix available
node_modules/html-minifier
  assetgraph  >=1.10.0
  Depends on vulnerable versions of html-minifier
  Depends on vulnerable versions of workbox-build
  node_modules/assetgraph
    subfont  *
    Depends on vulnerable versions of assetgraph
    node_modules/subfont
lodash.template  *
Severity: high
Command Injection in lodash - https://github.com/advisories/GHSA-35jh-r3h4-6jhm
No fix available
node_modules/lodash.template
  workbox-build  <=5.1.4
  Depends on vulnerable versions of lodash.template
  node_modules/workbox-build

Is this output hard to parse? I think so too.

Can you easily make decisions on which vulnerabilities to address? I think not.

If you have nothing else, npm audit is better than nothing, but it’s not the best tool for the job. Where it falls short:

  • npm audit by default will display development dependencies (devDependencies). This can be overwhelming and not useful for the developer who is trying to understand the security posture of their application because those dependencies are not part of the deployed production application. Hence, creating vulnerability noise.
  • npm audit doesn’t monitor your dependencies in any way, so you have to remember to run it manually.
  • npm audit doesn’t provide a way to ignore vulnerabilities, so you can’t easily suppress false positives or known issues that you wish to defer addressing.
  • npm audit doesn’t provide a way to automatically fix vulnerabilities, so you have to manually update your dependencies (or fall back to npm audit fix which can be dangerous and can end up with a broken application).
  • npm audit fix can be dangerous because it will update your dependencies to the latest major version (so introducing a breaking change) or it can completely downgrade a package to a version that is not compatible with your application.

There are other issues with npm audit but these are the main ones that I see developers struggle with.

A better way to audit your dependencies

If you take your application security seriously and your working on more than a hobby side project, then you should consider adopting a more robust application security platform that puts the focus on developers and provides them with the tools they need to secure their applications. Snyk is a great example of that.

Snyk is a developer-first security platform that first and foremost is designed around developer workflows and has a generous always-free tier.

Snyk helps you find, fix, and prevent vulnerabilities in your applications. It’s flexible and integrates with your CI/CD pipeline (for example, there’s a GitHub Actions workflow you can embed), your IDE (get the VS Code extension!), and your source control system to provide you with security information at the right time and in the right place.

If you’re on the CLI you can scan your project’s dependencies with snyk test (and install Snyk CLI with npm install -g snyk because the Snyk CLI is also available as an npm package):

$ snyk test
Tested 1098 dependencies for known issues, found 17 issues, 20 vulnerable paths.
Issues to fix by upgrading:
  Upgrade git-contributors@0.2.3 to git-contributors@0.2.5 to fix
   Regular Expression Denial of Service (ReDoS) [Medium Severity][https://security.snyk.io/vuln/SNYK-JS-LODASH-1018905] in lodash@3.9.3
    introduced by git-contributors@0.2.3 > lodash@3.9.3
   Regular Expression Denial of Service (ReDoS) [Medium Severity][https://security.snyk.io/vuln/SNYK-JS-LODASH-73639] in lodash@3.9.3
    introduced by git-contributors@0.2.3 > lodash@3.9.3
   Prototype Pollution [Medium Severity][https://security.snyk.io/vuln/npm:lodash:20180130] in lodash@3.9.3
    introduced by git-contributors@0.2.3 > lodash@3.9.3
   Code Injection [High Severity][https://security.snyk.io/vuln/SNYK-JS-LODASH-1040724] in lodash@3.9.3
    introduced by git-contributors@0.2.3 > lodash@3.9.3
   Prototype Pollution [High Severity][https://security.snyk.io/vuln/SNYK-JS-LODASH-450202] in lodash@3.9.3
  Upgrade git-tags-remote@1.0.2 to git-tags-remote@1.0.3 to fix
   Command Injection [High Severity][https://security.snyk.io/vuln/SNYK-JS-GITTAGSREMOTE-596503] in git-tags-remote@1.0.2
    introduced by git-tags-remote@1.0.2
  Upgrade nuxt@3.12.2 to nuxt@3.12.4 to fix
   Cross-site Scripting (XSS) [Medium Severity][https://security.snyk.io/vuln/SNYK-JS-NUXT-7640972] in nuxt@3.12.2
    introduced by nuxt@3.12.2
   Remote Code Execution (RCE) [High Severity][https://security.snyk.io/vuln/SNYK-JS-NUXT-7640974] in nuxt@3.12.2
    introduced by nuxt@3.12.2
Issues with no direct upgrade or patch:
   Missing Release of Resource after Effective Lifetime [Medium Severity][https://security.snyk.io/vuln/SNYK-JS-INFLIGHT-6095116] in inflight@1.0.6
    introduced by nuxt@3.12.2 > nitropack@2.9.7 > @vercel/nft@0.26.5 > glob@7.2.3 > inflight@1.0.6 and 3 other path(s)
  No upgrade or patch available
   Malicious Package [Critical Severity][https://security.snyk.io/vuln/SNYK-JS-LEGACYSWCHELPERS-7647380] in legacy-swc-helpers@0.4.14
    introduced by @nuxt/fonts@0.7.1 > fontaine@0.5.0 > @capsizecss/unpack@2.2.0 > fontkit@2.0.2 > @swc/helpers@0.4.36 > legacy-swc-helpers@0.4.14
  No upgrade or patch available

Much more readable, yes? I agree ;-)

Benefits of using Snyk in my opinion:

  • Scanned your dependencies? great. Now run snyk monitor and your project will be monitored for new vulnerabilities and you’ll get an email notification if a new vulnerability is found in your project.
  • Better than manually scanning and monitoring your dependencies, Snyk integrates with your CI/CD pipeline and your source control system and will automatically create a pull request to fix vulnerabilities in your project. how? connect Snyk to your GitHub repo and you’re set!
  • Your on a polyglot team that manages code that is more than just JavaScript? Snyk supports multiple ecosystems like Java, Python, Ruby, Go, and many others.
  • Your repository is a monorepo with different language ecosystems? Easy peasy. Run snyk test --all-projects in the root of your repository and Snyk will traverse through all supported ecosystem manifest files and scan/import them for you.
  • Use the various Snyk CLI to filter for severity levels, ignore vulnerabilities based on CVE or a Snyk advisory id, and more.
  • Security teams love their acronym. They’ll tell you npm audit is not enough and they want an SBOM output, a SAST scan, your container image scanned, your Terraform configuration scanned, and more. Snyk has you covered with all of that. Just fire off the adequate command and you’re done (or connect Snyk to GitHub and it’ll discover all of these automatically). Job done.
  • Security teams love their security dashboards so they’ll ask you for a report. Easy peasy: snyk test --json > snyk-report.json and you’re done. They asked you for a SARIF format? snyk test --sarif > snyk-report.sarif and you’re done.

Snyk also provides you with a way to ignore vulnerabilities, so you can suppress false positives or known issues that you wish to defer addressing. You can also create a policy to enforce security standards across your organization and prevent other developers in your team from introducing new vulnerabilities based on policies and PR checks that you can setup if you integrate Snyk with your GitHub repository.

Conclusion

How to use npm audit? Well, just run it. Yes it’s that simple. But if you’re serious about securing your applications, shipping secure code with your team, then you should consider adopting a more robust security platform like Snyk.

Disclaimer - I work at Snyk!

此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。