Detecting Package Known Vulnerabilities in Node.js
2 min read
Yes, if we already know this vulnerability, we can just try to fix it by upgrade package versions if it is fixed in the newer version. But as an application developer, not a security specialist, we can't know all the vulnerabilities. So how could we avoid these potential risks?
So for this purpose, a function called audit in npm we can make use of. The process is, npm keeps track of all the found vulnerabities information and stores them in a database. Then we can use npm to check if there are any vulnerabilities in the current packages we use. And npm also provides a command we can use to fix the risks by upgrade to newer version if the newer version fix the problem.
Now let's walk through this process. First let's start a new project, and install an old version of lodash.
npm init -y npm install email@example.com
Now let use npm audit command to check if there are any vulnerabilities.
% npm audit # npm audit report lodash <=4.17.20 Severity: critical Prototype Pollution in lodash - https://github.com/advisories/GHSA-jf85-cpcp-j695 Regular Expression Denial of Service (ReDoS) in lodash - https://github.com/advisories/GHSA-x5rq-j2xg-h7qm Prototype Pollution in lodash - https://github.com/advisories/GHSA-p6mc-m468-83gw Prototype Pollution in lodash - https://github.com/advisories/GHSA-4xc9-xhrj-v574 Prototype Pollution in lodash - https://github.com/advisories/GHSA-fvqr-27wr-82fm Command Injection in lodash - https://github.com/advisories/GHSA-35jh-r3h4-6jhm Regular Expression Denial of Service (ReDoS) in lodash - https://github.com/advisories/GHSA-29mw-wpgm-hmr9 fix available via `npm audit fix` node_modules/lodash 1 critical severity vulnerability To address all issues, run: npm audit fix
As you can see, the npm audit command find 1 critical severity vulnerability, and suggest we fix this problem. Now let fix it.
% npm audit fix changed 1 package, and audited 2 packages in 510ms found 0 vulnerabilities
OK, now lodash package is upgraded automatically and the vulnerability is gone.
Let audit again.
% npm audit found 0 vulnerabilities
Found 0 vulnerabilities, very good.
One thing we may need to know, if the vulnerabilities are fixed in the next major version, because major version change indicates breaking changes, so
npm audit fix cannot upgrade versions directly. In this case, we may need to check the package manuanlly, if this major version change has effect on our code. If that's ok, then we can use
npm audit fix --force to fix the vulnerabities. If not, then we may need to fix the problem by ourself.