Some background:
I'm working on a React application my agency recently picked up. The application has existed for ~2 years. I ran npm audit last week and discovered the app has quite a few high-level security vulnerabilities.
Most of them are coming from jest, a testing framework for React. We'll need to upgrade the package by a few major versions to resolve the vulnerabilities.
This could be a lot of work to take on right now, but I don't know if it should be a high priority. I'm not sure if this dependency has any impact on my app's security in production.
My question:
Are vulnerabilities from my testing framework a threat to my app in production?
Any advice would be appreciated! Thank you!
Top comments (1)
It depends. Just because it's a testing framework, doesn't mean you won't install the package in production.
The first thing I'd do is to ensure it's included in your
devDependenciessection ofpackage.json(you can runnpm audit fix --only=prodto runauditagainst only production dependencies).It also depends on what the vulnerability is. Can some time to assess the vulnerability, and if it's going to affect your app.
Lastly, you have to assess whether the effort to fix the vulnerability is worth it which again depends on what the actual vulnerability is.