Introduction

Npm has a tool called: npm audit which reports if your packages or libraries are having any known vulnerability on them or not. This is an excellent initiative from npm.

This is a great security threat in which your application can be hacked or vulnerable if your application is using any 3rd party library which has a known vulnerability on them. Even if your app is not having a security issue, but your whole system is vulnerable due to that 3rd party library. It is one of top-10 Owasp Security threats.

In this post, we will see the following:

  • How to use it via rest API
  • You don’t need to install a package before using npm audit
  • no need to run npm audit command
  • check vulnerability information for about any npm package without installing it

How npm audit works internally

It requires your package.json and packege-lock.json file. It reads some meta-information from these files and submits it to their web servers via rest APIs. The web server then returns the response and indicating if any library is having vulnerable information in them or not.

So when you run npm audit on the home directory of your project. It prepares some data, and send it to its web server.

npm audit uses a module: npm-registry-fetch which exposes some methods to call those rest APIs. Although, you will not find its documentation anywhere. I just found it while looking at the GitHub code of npm.

Rest API for getting npm audit information

URL: /-/npm/v1/security/audits
Host: registry.npmjs.org
Port: 443
HttpMethod: POST

It has a post body which looks like:

{
    "name": "npm_audit_test",
    "version": "1.0.0",
    "requires": {
        "marked": "^0.6.3"
    },
    "dependencies": {
        "marked": {
            "version": "0.6.3",
            "integrity": "sha1-ebq614r2OLpNUiqecVzf3SQp6UY=234"
        }
    }
}

So, the good thing is that you don’t require to have package.json or package-lock.json file. You can just call this API, and can get the result. You can see above that it is sending some hash: integrity in POST body, but you can remove that as well.

Let’s look at a fully functional code.

Code to Fetch Audit data

Here, I have used a non-existent name: npm_audit_test, and any version of my project. It can be anything. And, I’m using a dependency package: marked

const regFetch = require('npm-registry-fetch');

const auditData = {
    "name": "npm_audit_test",
    "version": "1.0.0",
    "requires": {
        "marked": "^0.6.3"
    },
    "dependencies": {
        "marked": {
            "version": "0.6.3",
            "integrity": "sha1-ebq614r2OLpNUiqecVzf3SQp6UY=234"
        }
    }
};

let opts = {
    "color":true,
    "json":true,
    "unicode":true,
    method: 'POST',
    gzip: true,
    body: auditData
};

return regFetch('/-/npm/v1/security/audits', opts)
    .then(res => {
        return res.json();
    })
    .then(res => {
        console.log(JSON.stringify(res, "", 3));
    }).catch(err => console.error(err));

So, the solution which is presented above doesn’t require you to install your packages. You can just pass any package name and you are done.

In the above example, I can completely remove the integrity attribute, and it will still work.

Give your comments, if you have any questions.