If you have upgraded to npm version 6 you have probably started seeing messages like this: “found 13 vulnerabilities (9 low, 4 high)” when installing packages. It means npm found vulnerabilities. But what are these vulnerabilities and should you worry about them?
npm version 6 introduced a new feature called security audits:
A security audit is an assessment of package dependencies for security vulnerabilities. Security audits help you protect your package’s users by enabling you to find and fix known vulnerabilities in dependencies that could cause data loss, service outages, unauthorized access to sensitive information, or other issues.
The new command to run an audit is npm audit.
npm audit runs automatically when you run npm install, hence the new messages. But what do they mean and should you worry about them?
Am I vulnerable?
Maybe… so you must do a bit of digging.
To generate a security report type npm audit. The security report will tell you which libraries contain vulnerabilities.
In this example, there are three vulnerabilities. 1 low, 2 high.
These vulnerabilities affect Karma and Protractor; two libraries used by Angular to run tests. Because these libraries are used on a local machine during development I can accept the risk and ignore them.
On the other hand, if these vulnerabilities affected code on a server, in a production environment, I would not risk it. I would upgrade to a later package or remove the package until a fix was available.
Either way, we need to start paying attention to the npm security audits if we want to avoid nasty surprises.
P.S… You can start using npm audit right now by updating to the latest version of npm. Just type npm install npm -g.