Built-in utilities

Previous section - Accueil

Security audit examples

Security is a big thing, and quite a complicated topic.
It's very hard to keep track of node packages, because there is no tool that tells you "This is a real security risk for you and your users".
What most tools tell you, is that a package as a security issue, and it's up to you to define how critical it is.
Even specialised tools like Github alerts for vulnerable dependencies or Snyk mostly generate tons of false-positive warnings that are mostly a big waste of time.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 yarn security:audit // Tons of noise... ┌───────────────┬──────────────────────────────────────────────────────────────┐ │ low │ Prototype Pollution │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Package │ yargs-parser │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Patched in │ >=13.1.2 <14.0.0 || >=15.0.1 <16.0.0 || >=18.1.2 │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Dependency of │ concurrently │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Path │ concurrently > yargs > yargs-parser │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ More info │ https://www.npmjs.com/advisories/1500 │ └───────────────┴──────────────────────────────────────────────────────────────┘ 283 vulnerabilities found - Packages audited: 1874 Severity: 283 Low error Command failed with exit code 2.

At the time of writing, NRN comes with about 300 vulnerabilities of Low level.
That may sound like a lot, but you need to consider that most of those are due to small vulnerabilities that are only exploitable in a development environment.
The above warning, for example, is based on the concurrently package, which is only used during development, when running the app in debug mode.