Back to course

Dependency Security

TL;DR: Run npm audit regularly. Pin your dependency versions. Use Dependabot or a similar tool so you are not manually tracking CVEs across hundreds of packages.

your apppackage.jsonpackage Adepends onpackage Bpackage Bhas CVEyou may not even know

When you install a package, you’re not just installing that package. You’re installing everything it depends on, and everything those dependencies depend on. A typical Node project has hundreds of transitive dependencies, most of which you’ve never looked at.

Any one of them can have a vulnerability. And when a CVE gets published for a widely used package, it’s often actively exploited within hours.

The good news is this is easy to check.

npm audit
npm audit fix

npm audit scans your dependency tree against a database of known vulnerabilities and tells you what’s at risk. npm audit fix automatically upgrades what it can.

Pin your dependency versions in package.json instead of using ^ or ~. Floating version ranges mean a new package version can slip in silently the next time someone runs npm install, potentially introducing a regression or a newly introduced vulnerability.

Set up Dependabot or Renovate to send you automated PRs when your dependencies have updates. It turns a task you’d forget into one that finds you.

Further reading: Snyk Open Source Security