With npm@6, support was added to protect your code from vulnerabilities in packages that you use. You may have noticed output identifying vulnerabilities when you run npm.

npm command vulnerabilities summary

The npm project now maintains advisories, which are used by npm audit to sniff out known vulnerabilities for you. It also provides fixes, if available. This is an impressive feature to help us all keep code as safe as we can in a world of seemingly innumerable package dependencies.

Putting npm audit to work for you πŸ’ͺ

Security starts at home. Making npm audit part of your local development process is highly recommended. See the Auditing package dependencies for security vulnerabilities documentation from npmjs.com for an introduction to npm audit and fixing vulnerabilities.

npm audit produces a report of known vulnerabilities, and if available, patches to apply to resolve the vulnerabilities.

Vulnerability advisory summary from npm audit

The first time you audit a project, you're likely to see quite a few vulnerabilities identified. Don't despair β€” you can narrow down what needs review by filtering out dev dependencies that don't make it into your production codebase with the --production flag. This works with npm audit and npm audit fix.

$ npm audit fix --production

The above will install compatible updates to vulnerable dependencies if available, skipping devDependencies. After applying the fixes, run your tests to make sure nothing broke, then push your changes. πŸ™Œ

If you're working with others on the project, you might need to discuss some of the updates before you make them. Having a pull request with proposed changes summarized for discussion would help. Checking if the pull request branch breaks your tests would also be useful.

We created the npm Vulnerability Scanner to address this problem for ourselves and for anyone who wants npm audit fix as an automated service in the cloud.

Continuous scan πŸ”

The npm Vulnerability Scanner runs npm audit on every push to a repository. It adds a GitHub Check run to each commit with the report from the audit, with advisories linked directly in the check run summary to help you review.

You can set the minimum severity level (Low, Moderate, High or Critical) that causes npm Vulnerability Scanner to add a failed check β€” for example, you may only want to fail the check if a Critical vulnerability is found.

As mentioned earlier, you'll likely want to exclude dev dependencies from your audits. There's a flag for that as well in the configuration for npm Vulnerability Scanner.

Automatic fixes as pull requests πŸ€–

To get fixes for all vulnerabilities with a patch available, enable fixes by choosing how you want them applied. Fixes can be raised as a pull request or directly committed to the pushed branch.

Fix pull requests contain a summary and the full npm audit report for quick review.

See all of the changes to package.json and package-lock.json for review and discussion.

If your CI builds are set up to run on feature branches, you'll see if any of the updates break your build.

If your CI doesn't build feature branches, feel free to use our npm Build skill that runs your chosen npm script on every push. It's a great way to test these fixes from npm audit.

Stay safe πŸ”’

Making audits automatic and packaging up fixes in tidy pull requests make it easier to keep your codebase safer while staying sane. The npm Vulnerability Scanner is an easy way to do that without having to run anything yourself.

Give it a try and let us know if you have questions or suggestions β€” you can find me in our Atomist community Slack or @jryanday.