This content originally appeared on DEV Community and was authored by Luรญs Von Muller
Sometimes when you're trying to install or re-use some kind of global package on the NPM environment, you will get messages telling you something like this:
As NPM itself will suggest, you, should audit them, to kindly fix them โบ๏ธ
But let me make it clear,: That is for sure, not the real way to "Security" audit things, but it is for sure, the minimum safe way that you must stay (at least) for the greater good!
This kind of vulnerability could became a real problem, especially when your packages are global packages.
I mean, When you're using the "-g" flag to make it system wide available.
For this, its a minimum good practice to also use things like NPX. But... if you're that lazy, as I am, here is this small shenanigan that could help you to keep yourself a bit more safe. ๐
๐ถ Step by Step ๐ถ
1. Lets update NPM itself! ๐
On the bash, or terminal, type:
$ npm install npm@latest -g
The $ means that you're into the bash or at least on a terminal like prompt ๐
The output will look something near like...
And...
... Ok I'll just type the "$ npm audit" then...
WAT?
Yes, that is totally accurate! ๐
NPM audit will check inside the package you're on (or even none if your not). It will not check the for entire "NPM" global environment.
OMG - David504
Context for the quote: https://www.youtube.com/watch?v=B6LpzJLrhpw
2. So, what should I do!? ๐ค
The right way? use rust ๐ฆ . Joking, you could use NPX, but if you don't want to (as I don't)... wait there!
You know what NPM people loves? Packages. ๐ฆ
And so we does! We love packages ๐ฅฐ! But what about installing another global package to fix global packages?
Now you must say: That looks sooo great!
Then, Kindly type into the terminal this, while praying to NPM's gods:
$ npm install -g npm-check-updates
The output gonna be like:
Thanks god that wasn't any vulnerability inside the vulnerability checking package ๐ฎโ๐จ
3. NCU - A Package Inception! ๐ณ
If all went good till now, guess what? You will have another package globally available to use! ๐
And guess what? This one can say which ones we should upgrade to get rid of:
(ใฃโโกโ)ใฃ โฅ legacy code vulnerabilities โฅ
But, how do we use it?. Again, from the terminal, type:
$ ncu -g
Output should like:
On the last line, it will give yourself the minimum needed updates to fix common vulnerabilities that were fixed on newer versions! ๐คฉ
Now... lets just, as always: CTRL+C -> CTRL+V stuff. ๐
Then you will be prompted with:
Vulnerabilities again?
Yes, that is again, fairly right ๐คฆโโ๏ธ
What you will need to execute, instead of the other command that I told you to run is this one:
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh
and you will have Rust and Rust's Cargo!
Nah, lets talk serious now... ๐
You got rid of the Global Packages vulnerabilities (from themselves) by upgrading them. But those packages (sometimes) depends on other packages...
I told you that NPM's guys really like packages ยฏ_(ใ)_/ยฏ
There will be, always, some vulnerabilities left inside these (dependencies). But not within being into a Global Package itself, then we're kinda good to go.
And to make sure there is not left, you can re-check it by doing so:
$ ncu -g
(to check if there is the need to upgrade any to a safer version)
Conclusion? ๐ค
If you gonna stand with just NPM without NPX please, at least do this.
I will soon write a how to NPX... or not
Thanks! Follow me on the Dev Bubble on Twitter
This content originally appeared on DEV Community and was authored by Luรญs Von Muller
Luรญs Von Muller | Sciencx (2022-01-04T17:42:05+00:00) ๐ How to get rid of vulnerabilities with just NPM ๐. Retrieved from https://www.scien.cx/2022/01/04/%f0%9f%99%8c-how-to-get-rid-of-vulnerabilities-with-just-npm-%f0%9f%91%80/
Please log in to upload a file.
There are no updates yet.
Click the Upload button above to add an update.