Menu
I may be a little bit behind, but I just upgraded NPM yesterday and now I'm getting all sorts of vulnerabilities with module dependencies like, prototype pollution, memory exposure and regular expression denial of service.
All I'm using the packages for is compiling, renaming, "uglifying" and compressing my assets using a build process like gulp or webpack.
So, I guess I'm wondering how important it is to fix these vulnerabilities or how relevant they are to my process given they are only used locally to build my assets (scss -> css, babel and image compression).
My hunch is that while you always want to error on the side of caution, since they're not being used on a node server or any live process, user input, etc...it may not matter as much as I had originally thought. Am I way off?
631
If security vulnerabilities are found and updates are available, you can either: Run the npm audit fix subcommand to automatically install compatible updates to vulnerable dependencies. Run the recommended commands individually to install updates to vulnerable dependencies.
If you are following an old video, you are lickely installing old packages. Therefore it's pretty common to have vulnerabilities. If you want the warnings to disappear, you can try to remove @version in your packages inside pakage. json and then run npm i again.
Benefits of npm audit So, npm audit allows you to leverage their efforts to find and fix security problems in your code, instead of going the tedious route of manually perusing the dependencies in your project to identify security loopholes.
npm is the world's largest Software Registry. The registry contains over 800,000 code packages. Open-source developers use npm to share software. Many organizations also use npm to manage private development.
Your hunch is right ...but be cautious.
Use NPM's cli command, npm-audit to run a security audit and check each of the listed vulnerabilities in order to conclude the dangers according to your situation.
You can try to fix these vulnerabilities by running:
npm audit fix
...but often times, this will resolve only some of your vulnerability warnings by trying to updating these dependencies in question to the next possible semver version without breaking functionality.
Basically, UNTIL you have these packages with notices and cautions running as just generator scripts, build tasks, and automations, you'll be fine.
But as soon as possible, update them to their latest versions. I would recommend npm-check-updates for checking more recent versions of the installed packages.
59
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
