JavaScript Developers and Security

WaffleJS, 2018-05-29

Who is this guy?

Laurie Voss, COO, npm Inc.


Why talk about security?

Compared to last year:

  1. We know a lot more
  2. We do a lot more

Security in JavaScript

is important because

JavaScript is important

of the code in a modern web app is downloaded from npm


77% of developers

are concerned about the security of OSS

58% were not satisfied

with the tools available to evaluate security


Developers who think tools for evaluating security aren't good enough but aren't concerned.

Devs are concerned

about the security of the code they write themselves

People trust open source code more than their own code

87% to 77%

Attitudes to

security change as developers gain experience

Experience => security

Do experienced devs leave JavaScript?

of developers say they plan to use JavaScript the same or more this year


What else do more experienced people do more often?

Experience creates best practices

Security is a thing experienced devs do

What does

"doing security"

look like?

Using npm to improve your security

npm install npm -g

The current version of npm is 6.1.0

Security alerts

and npm audit

You're already using them

> npm install
added 742 packages from 472 contributors and audited 4637 packages in 25.362s
found 274 vulnerabilities (248 low, 16 moderate, 10 high)

You tell us what you're going to install

So we can tell you if it's a good idea

We bought a security company





How does npm

make money?

  1. Private package hosting
  2. Security scanning and reporting

npm Enterprise

will keep your JavaScript secure

Tom says: "Call me!"

This is scary.

How do I fix it?

> npm install
added 742 packages from 472 contributors and audited 4637 packages in 25.362s
found 274 vulnerabilities (248 low, 16 moderate, 10 high)
npm audit

npm audit output

npm audit is not just a scan

Because scans are kind of annoying.

npm audit includes instructions to fix the vulnerability

But why do stuff when you can get robots to do stuff?

npm audit fix

will fix your software for you

> npm audit fix
+ nodemon@1.17.5
+ express@4.16.3
added 184 packages from 88 contributors, removed 13 packages and updated 31 packages in 20.612s
fixed 23 of 274 vulnerabilities in 4637 scanned packages

npm audit fix

obeys SemVer

(by default)

npm audit fix --force

will bring in breaking changes to fix it

> npm audit fix --force
+ joi@13.3.0
+ next@6.0.3
added 205 packages from 122 contributors, removed 127 packages, 
updated 130 packages and moved 3 packages in 48.436s
fixed 267 of 267 vulnerabilities in 5707 scanned packages
  2 package updates for 251 vulns involved breaking changes
  (installed due to `--force` option)

Keeping fixing until entirely fixed

> npm audit fix
updated 2 packages in 4.726s
fixed 18 of 18 vulnerabilities in 6289 scanned packages



All npm packages are signed now

Two-factor authentication

is available for every account

Publish alerts

by email

whether you like them or not

Stop running

rm -rf node_modules; npm install

instead run

npm ci

npm ci is 2-3x faster than npm install

This has nothing to do with security, it's just neat.

Summing up:

  • Security is a big deal
  • npm audit does security now
  • npm audit fix will fix your software
  • holy cow
  • did you say it will fix my software?
  • I did, Bob
  • holy cow

Thank you!

Get these slides here:

Ask me questions or say hi on Twitter:

Useful links that I didn't talk about but you get because you downloaded the slides:

JavaScript Security at WaffleJS

By seldo

JavaScript Security at WaffleJS

  • 4,995