Security is a big thing, and quite a complicated topic.
It's very hard to keep track of node packages, because there is no tool that tells you "This is a real security risk for you and your users".
What most tools tell you, is that a package as a security issue, and it's up to you to define how critical it is.
Even specialised tools like Github alerts for vulnerable dependencies or Snyk mostly generate tons of false-positive warnings that are mostly a big waste of time.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
yarn security:audit
// Tons of noise...
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ low │ Prototype Pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ yargs-parser │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=13.1.2 <14.0.0 || >=15.0.1 <16.0.0 || >=18.1.2 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ concurrently │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ concurrently > yargs > yargs-parser │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://www.npmjs.com/advisories/1500 │
└───────────────┴──────────────────────────────────────────────────────────────┘
283 vulnerabilities found - Packages audited: 1874
Severity: 283 Low
error Command failed with exit code 2.
At the time of writing, NRN comes with about 300 vulnerabilities of Low
level.
That may sound like a lot, but you need to consider that most of those are due to small vulnerabilities that are only exploitable in a development environment.
The above warning, for example, is based on the concurrently
package, which is only used during development, when running the app in debug mode.
Low
level vulnerabilities, and rather focus on those that are more critical.Custom Testing - 2021
Tous droits réservés