yaox023's blog

Detecting Package Known Vulnerabilities in Node.js

Detecting Package Known Vulnerabilities in Node.js

yaox023's photo
yaox023
·

2 min read

In the previous article JavaScript Prototype Pollution Attack, I talk about this kind of attack and many npm packages has.

Yes, if we already know this vulnerability, we can just try to fix it by upgrade package versions if it is fixed in the newer version. But as an application developer, not a security specialist, we can't know all the vulnerabilities. So how could we avoid these potential risks?

So for this purpose, a function called audit in npm we can make use of. The process is, npm keeps track of all the found vulnerabities information and stores them in a database. Then we can use npm to check if there are any vulnerabilities in the current packages we use. And npm also provides a command we can use to fix the risks by upgrade to newer version if the newer version fix the problem.

Now let's walk through this process. First let's start a new project, and install an old version of lodash.

npm init -y
npm install lodash@4.17.4

Now let use npm audit command to check if there are any vulnerabilities.

% npm audit
# npm audit report

lodash  <=4.17.20
Severity: critical
Prototype Pollution in lodash - https://github.com/advisories/GHSA-jf85-cpcp-j695
Regular Expression Denial of Service (ReDoS) in lodash - https://github.com/advisories/GHSA-x5rq-j2xg-h7qm
Prototype Pollution in lodash - https://github.com/advisories/GHSA-p6mc-m468-83gw
Prototype Pollution in lodash - https://github.com/advisories/GHSA-4xc9-xhrj-v574
Prototype Pollution in lodash - https://github.com/advisories/GHSA-fvqr-27wr-82fm
Command Injection in lodash - https://github.com/advisories/GHSA-35jh-r3h4-6jhm
Regular Expression Denial of Service (ReDoS) in lodash - https://github.com/advisories/GHSA-29mw-wpgm-hmr9
fix available via `npm audit fix`
node_modules/lodash

1 critical severity vulnerability

To address all issues, run:
  npm audit fix

As you can see, the npm audit command find 1 critical severity vulnerability, and suggest we fix this problem. Now let fix it.

% npm audit fix

changed 1 package, and audited 2 packages in 510ms

found 0 vulnerabilities

OK, now lodash package is upgraded automatically and the vulnerability is gone.

Let audit again.

% npm audit
found 0 vulnerabilities

Found 0 vulnerabilities, very good.

One thing we may need to know, if the vulnerabilities are fixed in the next major version, because major version change indicates breaking changes, so npm audit fix cannot upgrade versions directly. In this case, we may need to check the package manuanlly, if this major version change has effect on our code. If that's ok, then we can use npm audit fix --force to fix the vulnerabities. If not, then we may need to fix the problem by ourself.

Node.js