Maintaining Your Library: An NPM Series (Part II)
As we saw in the last article Creating Your Library: An NPM Series (Part I), creating your library is easy. Maintaining is the hard part. During your library’s lifetime, it will go through many improvements. But, your library inadvertently depends on many others, and unavoidably so, it can end up with vulnerabilities and failures.
Let’s talk about that!
NPM vulnerabilities
- What do you think about why we see this warning message every time we run npm install. The reason is after NPM v6, the NPM registry automatically runs the npm audit command to check vulnerabilities.
- If we run the npm audit command manually we can see a detailed audit report of found vulnerabilities and steps regarding how we can fix them.
- To resolve these vulnerabilities, we can run the command npm audit fix or npm audit for steps to fix these manually.
- NPM categorizes vulnerabilities into 3 types. High, moderate, and low.
Prevention from vulnerabilities
- If we ignore these NPM Vulnerabilities it can lead us to data theft and attackers can steal sensitive information.
- Such famous incidents record when 11 lines of JavaScript code from an attacker broke Node, Babel, and thousands of projects due to the left-pad package. JavaScript libraries like ‘colors.js’ and ‘faker.js.” blew up JavaScript programs.
- Be aware of typosquatting or URL hijacking (e.g., “Gooogle.com” instead of “Google.com”)
- Update the packages using npm update. Migrate from packages that are abandoned or deprecated.
- Check weekly downloads and package license (MIT, etc.) before installing any package. Do not use new packages. Try to explore the code and issues with the respective repository of the package.
- Report issues whenever you find unexpected behaviors and inconsistencies against the respective repository of the package on GitHub.
List of common vulnerabilities
- glob-parent: Dependency of @angular-devkit/build-angular. Regular expression denial of service in glob-parent.
- node-forge: Dependency of @angular-devkit/build-angular. Improper Verification of Cryptographic Signature in node-forge.
- ansi-html: Dependency of @angular-devkit/build-angular. Uncontrolled Resource Consumption in ansi-html.
- tar: Dependency of the popper. Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning.
- jquery: Dependency of jquery. Potential XSS vulnerability in jQuery.
List of vulnerabilities on GitHub Advisory Database.
NPM commands: food for thought
- npm all command will print all the versions of installed packages and their dependencies.
- npm doctor command verifies the version and config of our environment to manage packages and suggest recommendations if any.
- npm ping command checks for configured npm registry and verifies authentication.
Many more NPM CLI Commands to cover!
Summary
We have explored everything about publishing a library in the previous article Creating Your Library: An NPM Series (Part I). In this article, we tried to understand NPM vulnerabilities and prevention from vulnerabilities. We covered some cool npm commands as well.
Special mention here to Mukund for helping me with this article.
Happy Coding!!