Stranger Danger: addressing the security risk in npm dependencies

[guypod]

Open source modules, and especially npm, are undoubtedly awesome. However, they also represent an undeniable and massive risk. You’re introducing someone else’s code into your system, often with little or no scrutiny. Each component may have vulnerabilities (~14% of them do!), may be compromised, or even be outright malicious. Multiply that risk by hundreds of dependencies, and you have a recipe for disaster.

In this talk we’ll show how you can mitigate this risk without losing productivity. We’ll share more data more about the risk; show how to find & fix known vulnerabilities in these dependencies; discuss how to prioritize the ones worthy of manual inspection & suggest what to monitor in production.

[guypod]

I'll be giving a similar talk at Fluent in March, given the shorter timeframe here I'll focus on the problem and practical tips for addressing it.

[clarkie]

+1. You should give out some lollies at the beginning too! ;)

[adrianblynch]

And host it in the back of a van!

[iancrowther]

@guypod Jan & Feb slots are booked. I am assuming you want to run this talk before Fluent?

Do you want me to ask one of the Feb speakers to swicth?

[guypod]

Understood, note the website makes it look liked there's still a slot in January.

I would rather present before Fluent if possible, if you can arrange for it that'll be great.

[iancrowther]

'cc @simonmcmanus - yeah i know.. were working on that!

[guypod]

Checking in - is this set for March, or can we move it to Feb?

Happy New Year, btw :)

[iancrowther]

@guypod moved to feb - locked 'n' locaded

[guypod]

Awesome. see you then!

[iancrowther]

what size t-shirt would you like?

[guypod]

Medium please :)