DEV Community

Kayla Reopelle
Kayla Reopelle

Posted on

Are vulnerabilities for testing dependencies a threat to my app in production?

Some background:

I'm working on a React application my agency recently picked up. The application has existed for ~2 years. I ran npm audit last week and discovered the app has quite a few high-level security vulnerabilities.

Most of them are coming from jest, a testing framework for React. We'll need to upgrade the package by a few major versions to resolve the vulnerabilities.

This could be a lot of work to take on right now, but I don't know if it should be a high priority. I'm not sure if this dependency has any impact on my app's security in production.

My question:

Are vulnerabilities from my testing framework a threat to my app in production?

Any advice would be appreciated! Thank you!

Discussion (1)

Collapse
devdrake0 profile image
Si

It depends. Just because it's a testing framework, doesn't mean you won't install the package in production.

The first thing I'd do is to ensure it's included in your devDependencies section of package.json (you can run npm audit fix --only=prod to run audit against only production dependencies).

It also depends on what the vulnerability is. Can some time to assess the vulnerability, and if it's going to affect your app.

Lastly, you have to assess whether the effort to fix the vulnerability is worth it which again depends on what the actual vulnerability is.