DEV Community

loading...

The new npm audit with npm 6+

Maria Campbell
・3 min read

Node-Security-Project.png

This post was first published on my Developer Blog, June 5, 2018.

First Github started letting us know about npm package vulnerabilities in our Github repos. Now Nodejs has followed suit and does the same in our local repos via command line.

It took me a little while to figure out how to fix these vulnerabilities. It was a matter of not so hot npm documentation. It seems that it has since improved! Node Security is very new, after all! Links to better documentation is now included in our vulnerability warnings in Terminal (Mac OSX).

Currently I am working on an app using express, nodejs, sequelize, express-session, bcrypt, among others. I wanted to include the sequelize-cli, and did so with the command

npm i sequelize-cli --save
Enter fullscreen mode Exit fullscreen mode

However, once installed, I got the following warning in Terminal:

sequelize-cli@4.0.0
added 53 packages from 34 contributors and audited 2069 packages in 10.745s
found 1 low severity vulnerability
run `npm audit fix` to fix them, or `npm audit` for details
Enter fullscreen mode Exit fullscreen mode

First I followed the instructions to fix the vulnerability with

npm audit fix
Enter fullscreen mode Exit fullscreen mode

That did not work. I got the warning

up to date in 2.155s
fixed 0 of 1 vulnerability in 2069 scanned packages
1 vulnerability required manual review and could not be updated
Enter fullscreen mode Exit fullscreen mode

Then I ran

npm audit
Enter fullscreen mode Exit fullscreen mode

information included a link to Node Security with next steps to take:

npm audit                                                                                      ✖ ✹ ✭

                       === npm audit security report ===

┌──────────────────────────────────────────────────────────────────────────────┐
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ deep-extend                                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=0.5.1                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ bcrypt                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ bcrypt > node-pre-gyp > rc > deep-extend                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/612                       │
└───────────────┴──────────────────────────────────────────────────────────────┘

Enter fullscreen mode Exit fullscreen mode

It involved the package deep-extend, which is a dependency of sequelize-cli and bcrypt, both which I have included in my root dependencies. I got the following information on deep-extend in the Node Security link:

Overview

Versions of deep-extend before 0.5.1 are vulnerable to prototype pollution.

Remediation

Update to version 0.5.1 or later.
Enter fullscreen mode Exit fullscreen mode

When I ran npm audit in Terminal, it told me to go into the package located in node_modules and check that a package-lock.json actually existed. If not, I should create one:

                                                          ✖ ✹ ✭
npm ERR! code EAUDITNOLOCK
npm ERR! audit Neither npm-shrinkwrap.json nor package-lock.json found: Cannot audit a project without a lockfile
npm ERR! audit Try creating one first with: npm i --package-lock-only

npm ERR! A complete log of this run can be found in:
npm ERR! /Users/mariacam/.npm/_logs/2018-06-05T10_22_24_882Z-debug.log
Enter fullscreen mode Exit fullscreen mode

But first I got rid of my top level package-lock.json so that I could actually upgrade deep-extend. If I had kept it, deep-extend would just be re-installed with the same version. To learn more, please visit package-lock.json on npmjs.com.

After I deleted the top-level package-lock.json, I went into sequelize-cli in node_modules, which contained the deep-extend dependency, and saw that there was no package-lock.json. I ran the following command to create one for sequelize-cli:

npm i --package-lock-only
Enter fullscreen mode Exit fullscreen mode

After running it, I got back the following warning in Terminal:

created a lockfile as package-lock.json. You should commit this file.
added 839 packages from 79 contributors and audited 4797 packages in 17.936s
found 18 vulnerabilities (3 low, 9 moderate, 5 high, 1 critical)
run `npm audit fix` to fix them, or `npm audit` for details
Enter fullscreen mode Exit fullscreen mode

I went back up to the root directory and ran the following command:

npm i deep-extend@0.5.1
Enter fullscreen mode Exit fullscreen mode

Again, I got the following warning in Terminal:

deep-extend@0.5.1
added 1 package from 5 contributors, updated 1 package and audited 2070 packages in 3.454s
found 1 low severity vulnerability
run `npm audit fix` to fix them, or `npm audit` for details
Enter fullscreen mode Exit fullscreen mode

This installed the version needed to get rid of the vulnerability, as mentioned earlier.

Now I was ready to run the command

npm audit fix
Enter fullscreen mode Exit fullscreen mode

and afterwards received

audited 2070 packages in 3.049s
found 0 vulnerabilities
Enter fullscreen mode Exit fullscreen mode

I had also received a warning for the npm package sharp, and had uninstalled it, Now, if I really wanted to, I could re-install and fix the vulnerability. This also goes for any vulnerabilities you may have to fix on your remote repos on Github! I know I have a few to address!

Node Security Project

Discussion (0)