Removing The Security Chore of Identified Vulnerabilities
This last week we snuck in a new feature to nsp Live; the quick fix security button. This feature intends to remove the chore of figuring out what dependencies you need to update to what versions to fix a particular vulnerability.
If you have a pull request with a vulnerability you will now see some additional data inside the how to fix section. This informs you as to what top level dependency in your package.json to update to what version. This enables you to apply or update to a later version yourself if you want or you can just mash the “Automatically fix this pull request” button and it will add a commit to the PR for you. Hopefully you have CI configured and tests that will run when this happens, your build will turn green and you can merge away.
Should you have a number of vulnerabilities you can easily select all and fix them. Don’t worry, we do the hard work of resolving versions for you and all you have to do is click a button.
We encourage you to signup at nodesecurity.io, try the new feature, and let us know a what you think. Continuous security with nsp Live is free for open source and only $1 per private repository.