Security is a critical piece of any production software, and although it can be tempting to ignore it, doing so will only delay the inevitable. With the npm audit command, addressing security issues is now easier than ever.
Joe has been a web developer for the last 13 of his 16+ years as a professional developer. He has specialized in front end and middle tier development . Although his greatest love is writing code, he also enjoys teaching and speaking about code.
NPM Audit Basics Hello. I'm Joe Eames, and welcome to the module on NPM Audit Basics. In this module, we're going to be looking at three basic things; the basic commands when running an npm audit, then we're going to actually run an npm audit, and finally, we'll look at the reports that we get when running an audit, and how we customize those reports. The basic commands when doing an audit are the npm audit command and the npm audit fix command. The first command, npm audit, runs the audit without attempting to solve any of the problems. It basically gives you a report of all the security vulnerabilities that exist in the npm modules that you have in your project. The second command, audit fix, will attempt to fix as many of the issues as possible by updating to more recent, fixed versions of the modules that you have. In this section we'll be focusing on the first command, the audit command, so let's go ahead and check out how to run an audit ourselves.
Performing an Audit Hello, and welcome to the module, Addressing Audit Issues. This is the place where we'll finally do something about the information that we've gleaned by running our audit. We're going to actually make changes to our project and get rid of some of the security vulnerabilities. Now remember, in general, we are not going to go in and figure out what a security issue is and fix it by hand our self, we're going to address security issues by moving to versions of third-party code that don't have the security issues anymore, and that's what we'll be doing in this section using the fix command. Let's take a look at what we're going to be doing in this section of the course. We'll start off by just running fix and looking at what that does. Then, we'll look at the optional flags that fix has. Then we'll look at how to use the force flag, which allows us to move to versions of our third-party packages that are outside of semver compatibility. If you don't know what semver compatibility is, no problem, we will look at that when we get to this section of the module. After that we'll look at more complex audits. We'll move away from our Hello World example into a more real-world application and see what kind of audit issues you might encounter and how to deal with a far more complex audit, and we'll discover when doing that, the audit command may appear simple and easy on the surface like it's some magical wand that you can wave over your project, but the reality is is that it's just a tool and that complex applications can still be very difficult to deal with. Finally, we'll look at the next step of dealing with issues, which is manual updates outside of what the npm audit command does for us.
Advanced Solutions Hello. I'm Joe Eames, and welcome to the module on Advanced Solutions when dealing with npm security vulnerabilities. We've seen in the previous sections how to figure out what vulnerabilities our project may have and how to use audit in various ways, and ultimately how to use audit fix to adjust those issues, but now we're going to look at one very important question that you will definitely run into in any relative complexity project, and that is what if there is no published fix? This is the situation we find ourselves in with our project. If we go out to our code and we open up that audit. txt file, we can find in here that we have this ngf-server2 that has a vulnerability, and we are using version 1. 0. 2 or better of ngf-server2. If we run out to the command line and look for the latest version with npm info ngf-server2, we can see that the latest is version 1. 0. 2. So we're using the latest version, yet it's got some security vulnerabilities, and these are high security vulnerabilities. Ngf-server2 is using express, express is using fresh, and fresh has a high security vulnerability, and there are several others. So what do we do if there is no published fix? And that's what we're going to look at in this section. We're going to look at two ways to deal with this. The first method is that we can help the maintainers somehow, help them get the information so that they can make the fix that needs to be done, or even help them with the fix. The second way, if that first method doesn't work or isn't feasible, is to use a forked version, and we'll look at both of those techniques in this section of the course.