Chapter 1. Analysis of Known Node Package Vulnerabilities

Errors, like straws, upon the surface flow; he who would search for pearls, must dive below.

John Dryden

On average, more than 550 new Node packages are added to npm every day, making it the world’s largest software registry. Node packages are the greatest strength of the Node.js ecosystem—helping developers to reuse code, deliver features quickly, and reduce development and maintenance costs.

However, Node packages have significant implications for the security posture of Node applications. Similar to a chain that is only as strong as its weakest link, any vulnerabilities in an application’s direct or indirect Node package dependencies can make the application fall prey to security attacks.

On the bright side, the Node.js community and security researchers are publishing the Node package vulnerabilities as they are discovered. Developers also have tools that help to scan project code to detect insecure dependencies. In this chapter, we examine whether these efforts are sufficient to keep Node.js applications safe from insecure dependencies and how to prioritize security measures to achieve the maximum impact.

Current State of Security Mechanisms Against Vulnerable Dependencies

Figure 1-1 shows the rate of discovering Node package vulnerabilities by year.

pnpv 0101
Figure 1-1. Rate of discovering Node package vulnerabilities (source: ...

Get Patterns in Node Package Vulnerabilities now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.