Working with node.js, is your code safe?

in #npm6 years ago (edited)

If your project is based on node, then you are definitely using many open source packages that are submitted by people completely strangers to you. Open source is awesome for boosting your productivity. However, taking code written by others, often with little to no vetting of its security pedigree, can put your application at risk.

There are over 350000 packages in npm and about 14% of them suffer from known vulnerabilities. Even packages like st, ms which have millions of downloads per month had suffered from vulnerabilities like directory traversal, denial of service.

:( Solution?

Yes, there is.
Snyk enables you to find, and more importantly fix known vulnerabilities in your open source. And it’s built by the best developers and security researchers in the space. Then you can update vulnerable package to updated version.

If your project is on github, then you can test your project at synk.io.

Synk.io also comes as a package that can be downloaded from npm and integrated with code for regular testing.

Synk.io is not limited to node but also provides its support for maven, rubygems, pip etc. Have a look at vuln db.

synk.png

Coin Marketplace

STEEM 0.17
TRX 0.16
JST 0.028
BTC 75751.82
ETH 2893.02
USDT 1.00
SBD 2.61