Skip to main content

Common Misconfigurations

  1. Ignoring npm audit warnings
  2. Not updating dependencies regularly
  3. Using packages with known vulnerabilities
  4. Not checking transitive dependencies
  5. Missing security audit in CI/CD pipeline

Vulnerable Example

// package.json with vulnerable dependencies
{
  "name": "vulnerable-app",
  "version": "1.0.0",
  "dependencies": {
    // Vulnerable lodash version (CVE-2021-23337)
    "lodash": "4.17.20",
    
    // Old Express version with vulnerabilities
    "express": "4.16.0",
    
    // Vulnerable minimist (CVE-2021-44906)
    "minimist": "1.2.5",
    
    // Old axios with security issues
    "axios": "0.21.0",
    
    // Vulnerable node-fetch
    "node-fetch": "2.6.0"
  }
}

// package-lock.json not committed or outdated
// No .npmrc security configuration

Secure Solution

// package.json with secure dependencies
{
  "name": "secure-app",
  "version": "1.0.0",
  "dependencies": {
    // Updated to secure versions
    "lodash": "4.17.21",
    "express": "4.19.2",
    "minimist": "1.2.8",
    "axios": "1.6.5",
    "node-fetch": "3.3.2"
  },
  "devDependencies": {
    // Add security scanning tools
    "npm-audit-resolver": "^3.0.0",
    "snyk": "^1.1269.0"
  },
  "scripts": {
    "audit": "npm audit --audit-level=moderate",
    "audit:fix": "npm audit fix",
    "security-check": "snyk test",
    "preinstall": "npm audit"
  }
}

# .npmrc with security settings
audit-level=moderate
fund=false
save-exact=true
package-lock=true

# .github/workflows/security.yml
name: Security Audit
on: [push, pull_request]
jobs:
  audit:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      - uses: actions/setup-node@v3
      - run: npm ci
      - run: npm audit --audit-level=moderate
      - run: npm run security-check

Key Commands for Updating

Here are the essential npm commands to find and update vulnerable or outdated packages.

1. Audit for Vulnerabilities

This command scans your project against the npm registry for known security vulnerabilities. It’s the command used in the scripts section. 
npm audit

2. Automatically Fix Vulnerabilities

This command attempts to automatically update your package-lock.json to fix the vulnerabilities found by npm audit. It will only perform “safe” updates that respect your package.json version ranges. 
npm audit fix
  • Forcing Fixes: If vulnerabilities remain (often due to major version changes), you can try npm audit fix --force. Warning: This can install breaking changes, so use it with caution and test your application thoroughly afterward.

3. Check for Outdated Packages

This command lists all dependencies that have newer versions available than what is currently installed. This checks for all updates, not just security patches. 
npm outdated

4. Update Packages to Latest SemVer

This command updates your packages to the latest version that is allowed by the semantic versioning (semver) rules in your package.json (e.g., ^4.17.20 might update to 4.17.21 but not to 5.0.0). 
npm update

5. Update a Specific Package

To update a single package to its absolute latest version (even a new major version) and save that new version to your package.json: 
npm install <package-name>@latest
# Example:
npm install lodash@latest
For a more powerful way to update all packages to their latest major versions (which npm update won’t do), you can use the npm-check-updates tool. 
# 1. Install and run the tool (using npx, no permanent install needed)
npx npm-check-updates

# 2. Review the suggested updates.

# 3. To apply the updates to your package.json:
npx npm-check-updates -u

# 4. After updating package.json, install the new packages:
npm install

Best Practices

  • Run npm audit regularly.
  • Keep package-lock.json in version control.
  • Use automated dependency updates (Dependabot/Renovate).
  • Implement security checks in CI/CD.
  • Review and update dependencies monthly.