Node.js, how to solve vulnerability issues?

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hi and welcome to another type with me in this week episode i'm going to talk about node.js and how to solve vulnerability issues within your node.js project how can you solve dependencies on third-party packages that have vulnerability issues well we'll see how to do that for that i have two packages one is to chest in just a package where you will have certain things right you will have an angular application and then of course you will have some dependencies on normal dependencies and some some depth dependencies right great and then we have also a universal application and i'm just gonna use these two applications to show you a little bit how to do so so first of all you need to know that you can audit third party vulnerabilities with npm audit it's very important to look into it because it can be that you see okay i create very secure code within node.js or within my frontend application but it can be that a third-party application has a lot of vulnerability issues and then of course your application is not secure enough so it's very important to do so and i can recommend you to put it into your continuous integration flow or something like that and really try to solve these kind of issues so that you are always up to date and have a very secure application so for that we have mp npm audits so when i run this you will see that he will provide an audit on top of your application i run this with npm version 7. so i will show you look we have now 65 62 sorry vulnerabilities 38 lows 5 mid moderate 18 high and one critical so if we look a little bit deeper into it you will see here that we have certain things that are being reported here so it's great you will see here that depends on that and it depends on that and then depends on that and blah blah blah and then of course here you will find some kind of information sometimes it's nice to only do it with for example the highs and the criticals because of course that's the ones that you want to solve first so when you want to focus a little bit more on that you can also exclude the other ones that you only see what is critical or what is high and then you just update it another thing to do is indeed just do npm audit fix but if you do npm audit fix or npm audit fix dash dash force you don't know what it's going to do with your application it can be that it burns up certain versions and that you don't want that or that it will break your application so be aware of that try to put it into a separate branch in my opinion would help you a lot for that so i recommend you to create another branch then try these kind of things out and then of course merge it in when everything works fine so if you only want to have an audits on your dependencies you can do npm audits dash dash production and when you do so you will see that we have zero vulnerabilities because yeah it's an angular project and of course that team also looks into it and sees that there are no vulnerabilities right one of the things that i want to do here is for example npm install low dash i'm just going to do that going to add it of course you will see that we have one vulnerability or less of course um and then if i do it again you will see that we still have zero vulnerabilities but again i know that in a certain lodes version there are vulnerabilities so i'm going back here i'm just going to use another version of low dash here a lower one i know one for example npm install and of course i did one mistake i will need to remove here [Music] low dash so what i'm gonna do here is just remove everything right and yeah you can very easily do mpx remove node modules right it's it's a very great tool i use it a lot so and you want to proceed now i'm just going to remove everything so he did normally i'm going to refresh here you see we don't have a node module folder i do npm install he's going to reinstall everything there and normally you will have a little bit more vulnerabilities now and i will also show you how you can check which packages have vulnerabilities and there is a great website to do so of course this takes a little bit so all right so we have 62 vulnerabilities after our install right and we have now low dash which has a vulnerability in there so if we now do here a check on that we do npm audits dash dash production right then of course you will see that um we have just one high severity vulnerability now what i want to do here is npm fix of course and then we want to have that force because we want to force it and because like we see we see here will install low dash which is outside the stated dependency range and because it's just one it's it's easy to do so we can just very easily overcome that so and then of course here you see that he's updating lowdash to version 4.17.21 which is outside your stated dependency range so it's gonna do that i'm just gonna i'm just gonna close this one but like we saw here it's low dash 4.17.5 and then of course if i close it we'll see what it will do there right it's just trying to resolve everything here so again this can take a little bit longer than that you expect it to be right but it just solves everything there also there it's nice to uh to to maybe have it installed into your cd or ci environments so that you are always up to date with the latest versions and have no vulnerabilities there but again it can break certain things it can have some unexpected behavior of course if you just do do if it just does that automatically so it depends on your application and on your situation itself but it's it's good to try it out um in my opinion i'm more in favor of just testing this out see what vulnerabilities there are and then just manually pick them out try to solve them yourself or first try to solve them with the npm mpm audit fix force and then if there are problems just try to do it manually right so afterwards to get also some information about removed six packages changed one package and audited 1207 packages in two in two minutes so he found zero vulnerability so our vulnerabilities are being resolved right so that's great thumbs up for our our case right so one thing i want to still show you is the sneak website it's a very great website to check for vulnerabilities for packages and so on so let's go and see and discover about that you see here that we have a vulnerability database npm low dash and then you see it low dash vulnerability slow dash modular utilities you see what the latest version is you see first published it's nine years ago right and the latest version published is a month ago so that's great then here you see the vulnerabilities which is high command injection in 4.17.21 so if you're gonna take a look at this one for example you will see a little bit more about the explanation what it is what the problems are that's been caused by that and so on you see the attack factor and so on the complexity and interactions so a great resource to check what the vulnerabilities are if you're gonna use certain um a certain package right then of of course it's nice to to go and get some extra info about it cvs score is also something that's very nice and easy to see see that's a high severity so if you go and take a look at the homepage then you will see here that one that products is develop fast stay secure find and fix security vulnerabilities in your open source libraries right so a great tool if you have the opportunities to do a demo great i can recommend it to you it's great to integrate it with your ci or cd environment and to have it in your release or deployments flow so thank you very much for watching i hope you can now eliminate certain vulnerabilities issues with third-party packages within to your node the js and npm project right so thank you very much give it a thumbs up if you liked it if you haven't subscribed to my channel please subscribe to my channel i really appreciate that thank you very much and see you next time bye
Info
Channel: TypeWithMe
Views: 73,538
Rating: undefined out of 5
Keywords: nodejs, npm, 3th party packages, vulnerabilities, security, safe
Id: LI1584uAWoQ
Channel Id: undefined
Length: 13min 12sec (792 seconds)
Published: Sun Mar 21 2021
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.