Managing Node.js dependencies and their security has never been a fun task. My heart stops for a few moments whenever I open node_modules folder and see how much stuff my minimalistic one-page app is pulling from the depth of web.
In attempt to fix it, this year, NPM acquired a great project – NSP, Node Security Platform that consisted of a vulnerability data feed and CLI. NSP security advisory feed was merged into NPM tool, but CLI was discontinued. Instead, we’ve got a new command – npm audit. However, the original NSP was able to produce much nicer output comparing to npm-audit which seems to be hated even by NPM developers. There were a few open issues on Github about prettifying its output but they all are now abandoned.
My main problem with npm-audit is that it’s actually a bit dumb – it can’t exclude devDependencies, fail on a severity threshold, and resulting JSON is just a mess. My main need is to simply integrate security check into build system and automatically parse the results. With current state of npm-audit it was not possible.
So it was time to act – I created “npm-audit-ps-wrapper” tool – a very simple Powershell wrapper around npm-audit which fixes all the problems I just described. And most important, it is ready for automation and use with CI/CD.
https://github.com/doshyt/npm-audit-ps-wrapper
Example of npm-audit output:
npm audit -j
{
"actions": [
{
"action": "install",
"module": "aurelia-cli",
"target": "0.35.1",
"isMajor": false,
"resolves": [
{
"id": 338,
"path": "aurelia-cli>npm>fs-vacuum>rimraf>glob>minimatch>brace-expansion",
"dev": false,
"optional": false,
"bundled": true
},
{
"id": 338,
"path": "aurelia-cli>npm>fstream>rimraf>glob>minimatch>brace-expansion",
"dev": false,
"optional": false,
"bundled": true
Example of npm-audit-ps-wrapper output:
{
"VulnerabilitySource": "sshpk",
"VulnerabilityTitle": "Regular Expression Denial of Service",
"VulnerableVersions": "<1.13.2 || >=1.14.0 <1.14.1",
"PatchedVersions": ">=1.13.2 < 1.14.0 || >=1.14.1",
"VulnerabilityChains": [
"aurelia-cli>npm>node-gyp>request>http-signature>sshpk",
"aurelia-cli>npm>npm-registry-client>request>http-signature>sshpk",
"aurelia-cli>npm>request>http-signature>sshpk"
],
"VulnerabilitySeverity": "high",
"AdvisoryUrl": "https://npmjs.com/advisories/606"
},
{
...
}
}
Benefits of the wrapper tool:
- Switch to ignore devDependencies.
- Resulting JSON contains a list of vulnerabilities with minimal viable information about them.
- Switch to fail on a set severity threshold level.
- Write output to a JSON file.
- Switch for silent execution.
Hope it helps to streamline security of your JS libs and make it a bit better!
Cloud Application Security 