Video: Update Your Vulnerable NPM Packages

By

In this "Bite-size Security Showcase", Erich Smith walks through a common developer security scenario, dealing with vulnerable third party dependencies. Specifically, Erich takes a look at NPM packages.

Staying updated with NPM dependencies requires automation. In this video example, Erich examines a situation where automated PRs are not available, but the build needs to be quickly remediated. He works through how to update the vulnerable packages on the command-line using YARN, starting with a local sanity check, and then moves through updating to the latest version of the packages containing security fixes. He runs a quick "git dif" against the package json to see the impact of the changes.

A deep transitive dependency is then explored, including the use of "npx-yarn-audit-fix", a conversion wrapper around the npm-audit-fix process. 

This all leads to a security best practice: clean as you go. Don't wait for your project to fail in CI/CD due to dependency vulnerabilities. Work with your team to process your Dependabot PRs in a timely fashion, and make liberal use of YARN audit throughout your day-to-day development cycle. Finally, update packages when it's convenient for you, not under stress. 

 

 

 

Other Resources:

Erich Smith
Erich Smith

Erich is the Principal Security Engineer at JupiterOne. An industry veteran of 20+ years, his background includes roles in software development, security, devops, systems administration, and compliance automation.

To hear more from Erich, get our newsletter. No spam, just the good stuff once or twice a month. Sign up below.

Keep Reading

What’s new in JupiterOne: Reducing time to value with the new Query Builder (Part 2)
February 6, 2023
Blog
What’s new in JupiterOne: Reducing time to value with the new Query Builder (Part 2)

The new JupiterOne Query Builder streamlines your querying experience by eliminating errors, simplifying query builds, and reducing time to value.

The top 10 questions that every engineering leader should be able to answer
February 2, 2023
Blog
The top 10 questions that every engineering leader should be able to answer

We polled some of our engineering leaders to see what it takes to succeed. In part two, we see if their answers align with the CISOs we talked to.

Identify compromised versions of Github using JupiterOne
January 31, 2023
Blog
Identify compromised versions of GitHub apps using JupiterOne

As a preventative measure, Github will be deprecating the Mac and Windows signing certificates used to sign Desktop app versions 3.0.2-3.1.2 and Atom versions 1.63.0-

15 Mar 2022
Blog
One line headline, one line headline

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud eiut.

15 Mar 2022
Blog
One line headline, one line headline

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud eiut.

15 Mar 2022
Blog
One line headline, one line headline

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud eiut.