JavaScript Developers and Security
WaffleJS, 2018-05-29
Laurie Voss, COO, npm Inc.
@seldo
Compared to last year:
is important because
are concerned about the security of OSS
with the tools available to evaluate security
Developers who think tools for evaluating security aren't good enough but aren't concerned.
about the security of the code they write themselves
87% to 77%
npm install npm -g
The current version of npm is 6.1.0
and npm audit
> npm install
added 742 packages from 472 contributors and audited 4637 packages in 25.362s
found 274 vulnerabilities (248 low, 16 moderate, 10 high)
So we can tell you if it's a good idea
Tom says: "Call me!"
> npm install
added 742 packages from 472 contributors and audited 4637 packages in 25.362s
found 274 vulnerabilities (248 low, 16 moderate, 10 high)
npm audit
Because scans are kind of annoying.
npm audit fix
will fix your software for you
> npm audit fix
+ nodemon@1.17.5
+ express@4.16.3
added 184 packages from 88 contributors, removed 13 packages and updated 31 packages in 20.612s
fixed 23 of 274 vulnerabilities in 4637 scanned packages
(by default)
npm audit fix --force
will bring in breaking changes to fix it
> npm audit fix --force
+ joi@13.3.0
+ next@6.0.3
added 205 packages from 122 contributors, removed 127 packages,
updated 130 packages and moved 3 packages in 48.436s
fixed 267 of 267 vulnerabilities in 5707 scanned packages
2 package updates for 251 vulns involved breaking changes
(installed due to `--force` option)
> npm audit fix
updated 2 packages in 4.726s
fixed 18 of 18 vulnerabilities in 6289 scanned packages
Right?
is available for every account
whether you like them or not
rm -rf node_modules; npm install
npm ci
This has nothing to do with security, it's just neat.
Get these slides here:
Ask me questions or say hi on Twitter:
Useful links that I didn't talk about but you get because you downloaded the slides:
More about npm audit:
https://docs.npmjs.com/getting-started/running-a-security-audit
npm ci
https://docs.npmjs.com/cli/ci
two factor auth:
https://docs.npmjs.com/getting-started/using-two-factor-authentication
npm hooks (bonus feature!)
https://docs.npmjs.com/cli/hook
npm signs all tarballs now
https://blog.npmjs.org/post/172999548390/new-pgp-machinery
we acquired a security company
https://blog.npmjs.org/post/172793182214/npm-acquires-lift-security-and-node-security