Video: Update Your Vulnerable NPM Packages

by

In this "Bite-size Security Showcase", Erich Smith walks through a common developer security scenario, dealing with vulnerable third party dependencies. Specifically, Erich takes a look at NPM packages.

Staying updated with NPM dependencies requires automation. In this video example, Erich examines a situation where automated PRs are not available, but the build needs to be quickly remediated. He works through how to update the vulnerable packages on the command-line using YARN, starting with a local sanity check, and then moves through updating to the latest version of the packages containing security fixes. He runs a quick "git dif" against the package json to see the impact of the changes.

A deep transitive dependency is then explored, including the use of "npx-yarn-audit-fix", a conversion wrapper around the npm-audit-fix process. 

This all leads to a security best practice: clean as you go. Don't wait for your project to fail in CI/CD due to dependency vulnerabilities. Work with your team to process your Dependabot PRs in a timely fashion, and make liberal use of YARN audit throughout your day-to-day development cycle. Finally, update packages when it's convenient for you, not under stress. 

 

 

 

Other Resources:

Erich Smith
Erich Smith

Erich is the Principal Security Engineer at JupiterOne. An industry veteran of 20+ years, his background includes roles in software development, security, devops, systems administration, and compliance automation.

Keep Reading

Stop Stitching User Data Together. Get a Unified Identity Instead | JupiterOne
May 15, 2025
Blog
Stop Stitching User Data Together. Get a Unified Identity Instead.

Legacy IAM falls short. Identity first security uses continuous, contextual access controls to protect a decentralized world—far beyond the old perimeter.

Fast Track Vulnerability Prioritization with Orca Security and JupiterOne | JupiterOne
May 7, 2025
Blog
Fast Track Vulnerability Prioritization with Orca Security and JupiterOne

Unify cloud risk insights and asset context to prioritize and remediate vulnerabilities faster with the Orca Security and JupiterOne integration.

5 Cybersecurity risk assessments to secure digital assets | JupiterOne
March 20, 2025
Blog
5 Cybersecurity risk assessment frameworks to secure digital assets

Discover 5 essential cybersecurity risk assessment frameworks to protect your digital assets. Learn their benefits, key features, and how to choose the right one

15 Mar 2022
Blog
One line headline, one line headline

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud eiut.

15 Mar 2022
Blog
One line headline, one line headline

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud eiut.

15 Mar 2022
Blog
One line headline, one line headline

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud eiut.