Lets-Encrypt SSL Certificate Useful Commands
You might need to put sudo before above command. The command will show details…
August 29, 2019
Npm has a tool called: npm audit which reports if your packages or libraries are having any known vulnerability on them or not. This is an excellent initiative from npm.
This is a great security threat in which your application can be hacked or vulnerable if your application is using any 3rd party library which has a known vulnerability on them. Even if your app is not having a security issue, but your whole system is vulnerable due to that 3rd party library. It is one of top-10 Owasp Security threats.
In this post, we will see the following:
It requires your package.json and packege-lock.json file. It reads some meta-information from these files and submits it to their web servers via rest APIs. The web server then returns the response and indicating if any library is having vulnerable information in them or not.
So when you run npm audit on the home directory of your project. It prepares some data, and send it to its web server.
npm audit uses a module: npm-registry-fetch which exposes some methods to call those rest APIs. Although, you will not find its documentation anywhere. I just found it while looking at the GitHub code of npm.
URL: /-/npm/v1/security/audits
Host: registry.npmjs.org
Port: 443
HttpMethod: POST
It has a post body which looks like:
{
"name": "npm_audit_test",
"version": "1.0.0",
"requires": {
"marked": "^0.6.3"
},
"dependencies": {
"marked": {
"version": "0.6.3",
"integrity": "sha1-ebq614r2OLpNUiqecVzf3SQp6UY=234"
}
}
}
So, the good thing is that you don’t require to have package.json or package-lock.json file. You can just call this API, and can get the result. You can see above that it is sending some hash: integrity in POST body, but you can remove that as well.
Let’s look at a fully functional code.
Here, I have used a non-existent name: npmaudittest, and any version of my project. It can be anything. And, I’m using a dependency package: marked
const regFetch = require('npm-registry-fetch');
const auditData = {
"name": "npm_audit_test",
"version": "1.0.0",
"requires": {
"marked": "^0.6.3"
},
"dependencies": {
"marked": {
"version": "0.6.3",
"integrity": "sha1-ebq614r2OLpNUiqecVzf3SQp6UY=234"
}
}
};
let opts = {
"color":true,
"json":true,
"unicode":true,
method: 'POST',
gzip: true,
body: auditData
};
return regFetch('/-/npm/v1/security/audits', opts)
.then(res => {
return res.json();
})
.then(res => {
console.log(JSON.stringify(res, "", 3));
}).catch(err => console.error(err));
So, the solution which is presented above doesn’t require you to install your packages. You can just pass any package name and you are done.
In the above example, I can completely remove the integrity attribute, and it will still work.
Give your comments, if you have any questions.
You might need to put sudo before above command. The command will show details…
You have drupal 7 image from docker hub, and want to connect tomongo db via php…
Introduction In this post, we will discuss 3 different ways to import a…
Introduction Drupal provides a powerful comment module, which comes as a part of…
Introduction I have created a view, with some filters and content fields. I will…
Visual Studio Code is one of the awesome developer tools by Microsoft. Let’s…
In this post, we will see some of the frequently used concepts/vocabulary in…
System design interview is pretty common these days, specially if you are having…
Introduction You are given an array of integers with size N, and a number K…
Graph Topological Sorting This is a well known problem in graph world…
Problem Statement Given a Binary tree, print out nodes in level order traversal…
Problem Statement Given an array nums of n integers and an integer target, are…