Video: Update Your Vulnerable NPM Packages

by

In this "Bite-size Security Showcase", Erich Smith walks through a common developer security scenario, dealing with vulnerable third party dependencies. Specifically, Erich takes a look at NPM packages.

Staying updated with NPM dependencies requires automation. In this video example, Erich examines a situation where automated PRs are not available, but the build needs to be quickly remediated. He works through how to update the vulnerable packages on the command-line using YARN, starting with a local sanity check, and then moves through updating to the latest version of the packages containing security fixes. He runs a quick "git dif" against the package json to see the impact of the changes.

A deep transitive dependency is then explored, including the use of "npx-yarn-audit-fix", a conversion wrapper around the npm-audit-fix process. 

This all leads to a security best practice: clean as you go. Don't wait for your project to fail in CI/CD due to dependency vulnerabilities. Work with your team to process your Dependabot PRs in a timely fashion, and make liberal use of YARN audit throughout your day-to-day development cycle. Finally, update packages when it's convenient for you, not under stress. 

 

 

 

Other Resources:

Erich Smith
Erich Smith

Erich is the Principal Security Engineer at JupiterOne. An industry veteran of 20+ years, his background includes roles in software development, security, devops, systems administration, and compliance automation.

Keep Reading

Better Together: CMDB + CSPM = Cloud Native Cyber Asset Management
September 4, 2024
Blog
Better Together: CMDB + CSPM = Cloud Native Cyber Asset Management

There is a lot of confusion out there when it comes to cloud native IT and cloud security tools. Things have gotten rather complicated over the last few years as we

Top Takeaways From the Cyentia Institute’s Inaugural Study of EPSS Data and Performance - "A VISUAL EXPLORATION OF EXPLOITATION IN THE WILD"
July 30, 2024
Blog
Top Takeaways From the Cyentia Institute’s Inaugural Study of EPSS Data and Performance

A CISO's Top 6 Takeaways From the Cyentia Institute’s Inaugural Study of EPSS Data and Performance "A Visual Exploration of Exploitation in the Wild"

Open Source Compliance, Endpoint and Vulnerability Management with Fleet | JupiterOne
July 24, 2024
Blog
Open Source Compliance, Endpoint and Vulnerability Management with Fleet

Here’s how Fleet integrates with JupiterOne to gain comprehensive insights and enhance the security in our environment.

15 Mar 2022
Blog
One line headline, one line headline

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud eiut.

15 Mar 2022
Blog
One line headline, one line headline

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud eiut.

15 Mar 2022
Blog
One line headline, one line headline

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud eiut.