DEV Community

Cover image for 🙌 How to get rid of vulnerabilities with just NPM 👀
Luís Von Muller
Luís Von Muller

Posted on • Updated on

🙌 How to get rid of vulnerabilities with just NPM 👀

Sometimes when you're trying to install or re-use some kind of global package on the NPM environment, you will get messages telling you something like this:

Installing a package

As NPM itself will suggest, you, should audit them, to kindly fix them ☺️

Warnings of vulnerabilities

But let me make it clear,: That is for sure, not the real way to "Security" audit things, but it is for sure, the minimum safe way that you must stay (at least) for the greater good!

This kind of vulnerability could became a real problem, especially when your packages are global packages.

I mean, When you're using the "-g" flag to make it system wide available.

For this, its a minimum good practice to also use things like NPX. But... if you're that lazy, as I am, here is this small shenanigan that could help you to keep yourself a bit more safe. 👀

🚶 Step by Step 🚶

1. Lets update NPM itself! 👉

On the bash, or terminal, type:

$ npm install npm@latest -g

The $ means that you're into the bash or at least on a terminal like prompt 😅

The output will look something near like...
Updating NPM

And...
Image description
... Ok I'll just type the "$ npm audit" then...

Image description

WAT?

Image description

Yes, that is totally accurate! 👌

NPM audit will check inside the package you're on (or even none if your not). It will not check the for entire "NPM" global environment.

OMG - David504

Context for the quote: https://www.youtube.com/watch?v=B6LpzJLrhpw

2. So, what should I do!? 🤔

The right way? use rust 🦀 . Joking, you could use NPX, but if you don't want to (as I don't)... wait there!

You know what NPM people loves? Packages. 📦

And so we does! We love packages 🥰! But what about installing another global package to fix global packages?

Avarege Package Enjoyer with a big brain

Now you must say: That looks sooo great!

Then, Kindly type into the terminal this, while praying to NPM's gods:

$ npm install -g npm-check-updates

The output gonna be like:

Output of npm install minus g npm check updates

Thanks god that wasn't any vulnerability inside the vulnerability checking package 😮‍💨

3. NCU - A Package Inception! 😳

If all went good till now, guess what? You will have another package globally available to use! 😌

And guess what? This one can say which ones we should upgrade to get rid of:

(っ◔◡◔)っ ♥ legacy code vulnerabilities ♥

Another Global package? Thats great!

But, how do we use it?. Again, from the terminal, type:

$ ncu -g

Output should like:

An output from the ncu package

On the last line, it will give yourself the minimum needed updates to fix common vulnerabilities that were fixed on newer versions! 🤩

my upgrade listings...

Now... lets just, as always: CTRL+C -> CTRL+V stuff. 😎

Then you will be prompted with:
After running upgrades...

Vulnerabilities again?

65 WAT?

Yes, that is again, fairly right 🤦‍♂️

What you will need to execute, instead of the other command that I told you to run is this one:

curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh
and you will have Rust and Rust's Cargo!

Nah, lets talk serious now... 🙄

You got rid of the Global Packages vulnerabilities (from themselves) by upgrading them. But those packages (sometimes) depends on other packages...
I told you that NPM's guys really like packages ¯_(ツ)_/¯

There will be, always, some vulnerabilities left inside these (dependencies). But not within being into a Global Package itself, then we're kinda good to go.

And to make sure there is not left, you can re-check it by doing so:

$ ncu -g

(to check if there is the need to upgrade any to a safer version)

Rechecking global packages.

Conclusion? 🤔

If you gonna stand with just NPM without NPX please, at least do this.

I will soon write a how to NPX... or not

Thanks! Follow me on the Dev Bubble on Twitter

Discussion (4)

Collapse
jeh212 profile image
Jean

Nice article man, I didn't know about this! I've got a question, updating theses packages, would create few errors on my application or this is a risk that has to take to keep the project safe?

Collapse
luisvonmuller profile image
Luís Von Muller Author

Most of the time: "Nah". Because they are global packages and most of the time they are just like programs that you double click to open/run they.

Collapse
tenebris_aenigma profile image
tenebrisAenigma

Thanks for sharing your knowledge.

Collapse
luisvonmuller profile image
Luís Von Muller Author

Nope! 🥰