NPM Identify And Fix Insecure Dependencies

NPM's latest version npm@6 has been launched and It has come with new powerful tool npm audit. This tool will help us to protect the safety of your code. When we install a code and we know the security risk that can happen to our code, npm audit will ensure its quality and integrity of the code we use.

Today I am going to discuss npm's new powerful tool NPM audit.

What is NPM audit?

npm audit is the new command evolved in npm@6 release that identifies and fix insecure dependencies. It basically performs a security review of your project based on the dependency tree. It will tell security vulnerabilities that will be present in your current dependencies and It can also help you to fix these vulnerabilities.

Using npm audit is as easy as npm install or npm init or npm start commands. We need to just upgrade our npm version to latest version. That's it.

We can upgrade npm to its latest version by the following command:

$ npm install npm -g

Here is an example of npm audit command.

Just go to your existing nodejs project directory and run npm audit command.

$ cd your-app

and type below command:?
$ npm audit

And you will get some results like below:

It is showing low-security vulnerability. See below image also:

It is showing high vulnerability. It must be fixed before proceeding your further development.

It also shows suggestion to fix the given vulnerabilities.

At the end of the report, it will show you summarised report as you can see the last line in above screenshot. 

You will see something like this if no security vulnerability found in your project.

What if I’m using a previous version of npm?

you can use npm audit command in available versions [email protected] and npm@6. Older versions will receive security alert as:

How does this impact the JavaScript ecosystem?

In short term, npm audit will help among developers to raise awareness of known security vulnerabilities within applications that they are using.

In long term, prominent securoty vulnerability and warnings will raise and it will be helpfull for everyone. When a developer notices that they they are bringing a vulnerable dependency in their project, they can switch to a fixed version for that perticular dependency.