nearform / udaru

Open source Access Manager for node.js
https://nearform.github.io/udaru
MIT License
124 stars 19 forks source link

`npm audit` #537

Closed dberesford closed 5 years ago

dberesford commented 6 years ago

Let's take a look at https://blog.npmjs.org/post/173719309445/npm-audit-identify-and-fix-insecure and hopefully incorporate into udaru CI.

We do need to add a lockfile to udaru-hapi-server first (which we should do anyway). Running this locally there appears to be a lot of warnings about npx and a few other modules, let's dig into these and see if we can get to a clean scan.

ovhemert commented 5 years ago

Lockfiles were intentionally disabled as you can see here: https://github.com/nearform/udaru/pull/499#discussion_r176905785

Although they are never added to a commit, we can generate them using npm i --package-lock-only and then run npm audit.

As of today, for all 4 packages, this results in: 43 vulnerabilities (6 low, 22 moderate, 15 high) Almost all of them introduced through npx.

The npx package is mainly used to just run internal scripts from package.json. But since it runs packages that are already in the dependencies, it would be better to run them directly.

Example: In udaru-core => package.json => scripts there is: "depcheck": "npx depcheck" But we could just run depcheck, because that package is already in devDependencies.

I suggest:

cc: @dberesford @mcollina

mcollina commented 5 years ago

+1 to all the above.

ovhemert commented 5 years ago

As of today no vulnerabilities reported anymore.

Can check for all packages now with single comment: npm run test:audit