npm package security

In Front-end

Steps

Which packages am I using? And for each one…
1.1. Am I still using this package?
1.2. Are other developers using this package?
1.3 Am I using the latest version of this package?
1.4. When was this package last updated?
1.5. How many maintainers do these packages have?
1.6. Does this package have known security vulnerabilities?

Commands for those steps

Requirements

Process

Simplify by cleaning up duplications
1
npm dedupe
Which packages am I using?
1
npm ls
Am I still using this package?
1
2
# npm install -g depcheck
depcheck
Are other developers using this package? Stat
1
2
# npm install -g stats
stats --total
Am I using the latest version of this package?
1
npm outdated
When was this package last updated?
1
npm view PACKAGE_NAME time.modified
How many maintainers do these packages have?
1
npm view PACKAGE_NAME maintainers
Does this package have known security vulnerabilities?
1
npm audit

Daily how-to

Script for getting security report

Get the vulnerabilities

npm install
# reduce dependencies
npm dedupe
# fix the easy ones
npm audit fix
# get a list fo the hard ones
npm audit --parseable
# solve them manually

Solve manually

For each vulnerable dependency

Look for the currently installed version
1
npm ls PACKAGE_NAME
Review the vulnerability report: consider updating
- use next-update
  1
  npx next-update
- use npm-force-resolutions
  1
  2
  npm install --package-lock-only --ignore-scripts \
  && npx npm-force-resolutions
❗ Note
Remember you will need to maintain the “forced resolutions” on the package.json file.
1
2
3
"resolutions": {
"underscore": "^1.12.1"
}