Eliminating Security Vulnerabilities with NPM Audit

Security is a critical piece of any production software, and although it can be tempting to ignore it, doing so will only delay the inevitable. With the npm audit command, addressing security issues is now easier than ever.
Course info
Level
Intermediate
Updated
Aug 30, 2018
Duration
1h 9m
Table of contents
Description
Course info
Level
Intermediate
Updated
Aug 30, 2018
Duration
1h 9m
Description

Security is critical to any production application, but it can be difficult to identify security vulnerabilities. In this course, Eliminating Security Vulnerabilities with NPM Audit, you will gain an in-depth understanding of how to use npm audit to resolve security vulnerabilities in your JavaScript applications. First, you will see how to run audits and discover what vulnerabilities you have. Next, you will run the audit fix command to fix those vulnerabilities. Finally, you will explore how to deal with vulnerabilities that don't have published fixes. When you are finished with this course, you will have the skills and knowledge of npm audit needed to keep your applications free of known security vulnerabilities.

About the author
About the author

Joe has been a web developer for the last 13 of his 16+ years as a professional developer. He has specialized in front end and middle tier development . Although his greatest love is writing code, he also enjoys teaching and speaking about code.

More from the author
Unit Testing in Angular
Beginner
3h 20m
22 May 2018
Angular: The Big Picture
Beginner
1h 7m
13 Dec 2017
More courses by Joe Eames
Section Introduction Transcripts
Section Introduction Transcripts

Course Overview
(Music) Hi there. I'm Joe Eames, and welcome to my course, Eliminating Security Vulnerabilities with NPM Audit. I'm a Google Developers Expert and front-end web developer, and I'm excited to present this course to you. In JavaScript development today, we use a lot of code built by other developers, and we use npm to download that code and organize it. This benefits us greatly and solves a whole bunch of problems with organizing and managing that third-party code. But it also means that we're using code that may or may not have security vulnerabilities. In this course, we're going to learn how to use npm audit to find and/or move those security vulnerabilities. Some of the things we will cover are the npm audit command, which identifies what security issues our code has, the audit fix command, which will attempt to replace any vulnerable code with fixed versions, and we'll also learn what to do when no fix has been published. By the time we're through, you'll understand what npm audit is, what it can do, and how it does its job of improving security in your applications. Npm audit is the simplest and easiest way to quickly improve security in your JavaScript projects. Before starting this course, you should be familiar with JavaScript and npm. I hope you'll join me on this journey to learn how to improve security in your JavaScript projects, with the Eliminating Security Vulnerabilities with NPM Audit course, at Pluralsight.

NPM Audit Basics
Hello. I'm Joe Eames, and welcome to the module on NPM Audit Basics. In this module, we're going to be looking at three basic things; the basic commands when running an npm audit, then we're going to actually run an npm audit, and finally, we'll look at the reports that we get when running an audit, and how we customize those reports. The basic commands when doing an audit are the npm audit command and the npm audit fix command. The first command, npm audit, runs the audit without attempting to solve any of the problems. It basically gives you a report of all the security vulnerabilities that exist in the npm modules that you have in your project. The second command, audit fix, will attempt to fix as many of the issues as possible by updating to more recent, fixed versions of the modules that you have. In this section we'll be focusing on the first command, the audit command, so let's go ahead and check out how to run an audit ourselves.

Performing an Audit
Hello, and welcome to the module, Addressing Audit Issues. This is the place where we'll finally do something about the information that we've gleaned by running our audit. We're going to actually make changes to our project and get rid of some of the security vulnerabilities. Now remember, in general, we are not going to go in and figure out what a security issue is and fix it by hand our self, we're going to address security issues by moving to versions of third-party code that don't have the security issues anymore, and that's what we'll be doing in this section using the fix command. Let's take a look at what we're going to be doing in this section of the course. We'll start off by just running fix and looking at what that does. Then, we'll look at the optional flags that fix has. Then we'll look at how to use the force flag, which allows us to move to versions of our third-party packages that are outside of semver compatibility. If you don't know what semver compatibility is, no problem, we will look at that when we get to this section of the module. After that we'll look at more complex audits. We'll move away from our Hello World example into a more real-world application and see what kind of audit issues you might encounter and how to deal with a far more complex audit, and we'll discover when doing that, the audit command may appear simple and easy on the surface like it's some magical wand that you can wave over your project, but the reality is is that it's just a tool and that complex applications can still be very difficult to deal with. Finally, we'll look at the next step of dealing with issues, which is manual updates outside of what the npm audit command does for us.

Advanced Solutions
Hello. I'm Joe Eames, and welcome to the module on Advanced Solutions when dealing with npm security vulnerabilities. We've seen in the previous sections how to figure out what vulnerabilities our project may have and how to use audit in various ways, and ultimately how to use audit fix to adjust those issues, but now we're going to look at one very important question that you will definitely run into in any relative complexity project, and that is what if there is no published fix? This is the situation we find ourselves in with our project. If we go out to our code and we open up that audit. txt file, we can find in here that we have this ngf-server2 that has a vulnerability, and we are using version 1. 0. 2 or better of ngf-server2. If we run out to the command line and look for the latest version with npm info ngf-server2, we can see that the latest is version 1. 0. 2. So we're using the latest version, yet it's got some security vulnerabilities, and these are high security vulnerabilities. Ngf-server2 is using express, express is using fresh, and fresh has a high security vulnerability, and there are several others. So what do we do if there is no published fix? And that's what we're going to look at in this section. We're going to look at two ways to deal with this. The first method is that we can help the maintainers somehow, help them get the information so that they can make the fix that needs to be done, or even help them with the fix. The second way, if that first method doesn't work or isn't feasible, is to use a forked version, and we'll look at both of those techniques in this section of the course.