The latest v1 major version of Yarn 1.22.22 supports a dependency audit command yarn audit that is similar to npm audit and allows developers who choose to use the Yarn package manager to check for vulnerabilities in their dependencies.
Yarn uses the same vulnerability database as the npmjs registry (which to date has transitioned over to GitHub and its advisory database).
As such, Yarn just mirrors the same API calls that the npm CLI uses to fetch vulnerability information when running with npm audit and that by default in modern npm versions runs automatically after* installing packages.
It’s important to note that Yarn doesn’t maintain its own vulnerability database, nor curates or triages any security vulnerability information, nor do any vulnerabilities about npm packages are reported to Yarn maintainers.
yarn auditSimply run yarn audit in your project directory to check for vulnerabilities in your dependencies.
If you don’t already have Yarn’s lockfile generated (yarn.lock), Yarn will generate it for you before running the audit. and then present the results of the audit in a table format.
Here’s an example output of yarn audit:
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ high │ Command Injection in lodash │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ lodash.template │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ No patch available │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ subfont │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ subfont > assetgraph > workbox-build > lodash.template │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://www.npmjs.com/advisories/1096993 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ high │ kangax html-minifier REDoS vulnerability │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ html-minifier │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ No patch available │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ subfont │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ subfont > assetgraph > html-minifier │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://www.npmjs.com/advisories/1097148 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ high │ path-to-regexp outputs backtracking regular expressions │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ path-to-regexp │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=8.0.0 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ astro │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ astro > path-to-regexp │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://www.npmjs.com/advisories/1099538 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ high │ path-to-regexp outputs backtracking regular expressions │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ path-to-regexp │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=8.0.0 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ astro-compress │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ astro-compress > astro > path-to-regexp │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://www.npmjs.com/advisories/1099538 │
└───────────────┴──────────────────────────────────────────────────────────────┘
4 vulnerabilities found - Packages audited: 1625
Severity: 4 High
✨ Done in 59.13s.
Note: if you’re using the latest major version of Yarn - Yarn 4, the audit commands exists under the command-line flag as follows: yarn npm audit (yes I know it looks confusing but that’s the actual command).
yarn audit outputYarn and the npm CLI, while using the same underlying advisory database for vulnerabilities, choose to display and print out the results of the audit in different formats.
Yarn’s table format is quite more friendly and easier to read than npm’s formatting which is much more verbose and harder to parse. To compare, here’s the same path-to-regexp vulnerability as reported by npm audit:
path-to-regexp 4.0.0 - 7.2.0
Severity: high
path-to-regexp outputs backtracking regular expressions - https://github.com/advisories/GHSA-9wv6-86v2-598j
fix available via `npm audit fix --force`
Will install @astrojs/tailwind@2.1.3, which is a breaking change
node_modules/path-to-regexp
astro <=0.0.0-xray-20231129021231 || >=0.18.0-collections.1
Depends on vulnerable versions of @astrojs/markdown-remark
Depends on vulnerable versions of path-to-regexp
node_modules/astro
@astro-community/astro-embed-integration >=0.1.0
Depends on vulnerable versions of @astro-community/astro-embed-twitter
Depends on vulnerable versions of @astro-community/astro-embed-vimeo
Depends on vulnerable versions of @astro-community/astro-embed-youtube
Depends on vulnerable versions of astro
Depends on vulnerable versions of astro-auto-import
node_modules/@astro-community/astro-embed-integration
@astro-community/astro-embed-twitter >=0.1.0
Depends on vulnerable versions of astro
node_modules/@astro-community/astro-embed-twitter
@astro-community/astro-embed-vimeo *
Depends on vulnerable versions of astro
node_modules/@astro-community/astro-embed-vimeo
astro-embed >=0.1.0
Depends on vulnerable versions of @astro-community/astro-embed-integration
Depends on vulnerable versions of @astro-community/astro-embed-twitter
Depends on vulnerable versions of @astro-community/astro-embed-vimeo
Depends on vulnerable versions of @astro-community/astro-embed-youtube
Depends on vulnerable versions of astro
node_modules/astro-embed
...
So, Yarn makes it more obvious to understand the top-level direct dependency that introduces the nested package with the vulnerability, and the path to the vulnerable package.
Hint: Yarn also supports JSON output with yarn audit --json if you want to parse the results programmatically, like say in a CI/CD pipeline or some custom tool you’re building.
yarn auditThe vulnerabilities reported by yarn audit can be fixed by updating the vulnerable package to a newer version that has the vulnerability patched, based on the versions range that Yarn reports.
Do note though that sometimes there exist no upgrade versions with a fix to the vulnerability (for example in cases where the vulnerability is very new, or the package is no longer well maintained), in which case you might need to look for alternative packages or solutions. Maybe consider applying the patch yourself using the patch-package package on npm.
That said, I highly recommend both using the Snyk CLI (npm install -g snyk) and integrating Snyk into your GitHub or Gitlab repository so that Snyk can monitor for new vulnerabilities in real-time as it learns about them and then automatically create new Pull Requests with upgrade fixes to your dependencies.
The Snyk CLI is also very handy and much more powerful than both yarn audit and npm audit because it was tailored for developer-first security workflows. For example, it will by default filter noise from development dependencies (those in devDependencies that don’t get pushed to production), and it can also test for vulnerabilities in your own code, Docker images, Kubernetes manifests, Terraform configurations, and more.
By using Snyk you also get access to Snyk’s vulnerability database which is much more comprehensive than the npmjs advisory database, and you get access to Snyk’s security research team that curates and triages security vulnerabilities and can provide you with more context and guidance on how to fix vulnerabilities.
Here’s an example snyk test output:
Tested 684 dependencies for known issues, found 10 issues, 25 vulnerable paths.
Issues to fix by upgrading:
Upgrade astro@3.6.5 to astro@4.13.1 to fix
✗ Cross-site Scripting (XSS) [Medium Severity][https://security.snyk.io/vuln/SNYK-JS-ASTRO-7547139] in astro@3.6.5
introduced by astro@3.6.5
✗ Improper Access Control [Medium Severity][https://security.snyk.io/vuln/SNYK-JS-VITE-6531286] in vite@4.4.9
introduced by astro@3.6.5 > vite@4.4.9
✗ Cross-Site Scripting (XSS) [Medium Severity][https://security.snyk.io/vuln/SNYK-JS-VITE-6098386] in vite@4.4.9
introduced by astro@3.6.5 > vite@4.4.9
✗ Uncontrolled resource consumption [High Severity][https://security.snyk.io/vuln/SNYK-JS-BRACES-6838727] in braces@3.0.2
introduced by astro@3.6.5 > chokidar@3.5.3 > braces@3.0.2 and 8 other path(s)
✗ Access Control Bypass [High Severity][https://security.snyk.io/vuln/SNYK-JS-VITE-6182924] in vite@4.4.9
introduced by astro@3.6.5 > vite@4.4.9
Issues with no direct upgrade or patch:
✗ Prototype Pollution [High Severity][https://security.snyk.io/vuln/SNYK-JS-DSET-7116691] in dset@3.1.3
introduced by astro@3.6.5 > @astrojs/telemetry@3.0.4 > dset@3.1.3
This issue was fixed in versions: 3.1.4
✗ Missing Release of Resource after Effective Lifetime [Medium Severity][https://security.snyk.io/vuln/SNYK-JS-INFLIGHT-6095116] in inflight@1.0.6
introduced by @astrojs/vercel@5.2.0 > @vercel/nft@0.23.1 > glob@7.2.3 > inflight@1.0.6 and 1 other path(s)
No upgrade or patch available
✗ Regular Expression Denial of Service (ReDoS) [Medium Severity][https://security.snyk.io/vuln/SNYK-JS-PATHTOREGEXP-7925106] in path-to-regexp@6.2.1
introduced by astro@3.6.5 > path-to-regexp@6.2.1
This issue was fixed in versions: 8.0.0
✗ Uncontrolled Resource Consumption ('Resource Exhaustion') [Medium Severity][https://security.snyk.io/vuln/SNYK-JS-TAR-6476909] in tar@6.2.0
introduced by @astrojs/vercel@5.2.0 > @vercel/nft@0.23.1 > @mapbox/node-pre-gyp@1.0.11 > tar@6.2.0
This issue was fixed in versions: 6.2.1
Whether you use yarn audit, npm audit or snky test, it’s already a good step forward that you are thinking about your application’s security :-)
I curate many security incidents related to npm on my Awesome Node.js Security repository so secure dependency management is critical and you shouldn’t take it lightly. I agree that there’s a lot of noise to filter through and vulnerability fatigue is a problem, but it’s better to be safe than sorry. Also, learn to use the tools that help you focus on the important bits (hint: Snyk!).
Disclaimer - I work at Snyk!
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。