As Node.js applications scale in terms of size and features, their dependencies scale too. For Node.js applications to function as intended, you also need testing frameworks, UI frameworks, database clients, MVC libraries like Express, and more.
However, Hackers are increasingly targeting these types of dependencies to launch supply chain attacks in which they inject malicious code into third-party software. Researchers have also discovered that poorly configured build processes make applications more susceptible to these kinds of attacks.
In this article, we’ll review three tools for improving the security of your Node.js dependencies that were recently open sourced, including Socket, Node-Secure CLI, and N|Solid. Let’s get started!
Software is considered open source if the source code is available for anyone to view, modify, or improve. Anyone can access and use the source code, either to enhance the original software or to create something entirely different. Popular hosting services like GitHub host many of these open source projects.
When a developer decides to use a feature that already exists in another software package in their application instead of coding it from scratch, the original package becomes a dependency in their own project.
Developers often choose open source dependencies because they are freely available. The developer has access to the source code, meaning they can go through it to see how the package was built. They can add features as they see fit, republishing it on their own, or even contact the original authors of the open source project to merge their addition into the existing code.
However, there are occasionally licenses attached to open source dependencies that pose some restrictions on what the software that is using the dependency can and cannot do. For example, some licenses don’t allow developers to sell software that utilizes the open source dependency. Therefore, it is important to go through the open source licenses and ensure that your project is compliant.
npm is the package manager for Node.js. It was created in 2009 as an open source project to help JavaScript developers easily share packaged modules as dependencies.
Many software development teams depend on open source dependencies to implement features like authentication, speeding up the overall development time. However, using these dependencies can expose projects to attacks, making them at risk of embedded malware.
Dependencies can be classified as either transitive or direct. Direct dependencies are the libraries your code is directly referencing, while transitive dependencies are the libraries that your dependencies are linked to. Essentially, transitive dependencies are the dependencies of your dependencies. Due to transitive dependencies, developers are often times unaware of the number of open source libraries they are using.
According to research conducted by Veracode, out of 85,000 applications that were accessed in 2020, 71 percent had a vulnerability in an open source library upon initial scan, with 47 percent of the flaws arising from transitive dependencies. JavaScript applications are top the offenders, making up 87 percent of this figure.
When you install a dependency, you also import all of its issues, like security flaws and even bugs. For example, if an open source library used to generate user details has a cross-site scripting vulnerability, then your entire software is vulnerable, putting you and your users at risk of data theft. It is your responsibility as a developer to ensure that code written by others does not make your system insecure.
It’s important for developers to keep track of every dependency used in their applications, including direct and transitive dependencies. If a developer is unaware of the dependencies they are using, they can’t defend themselves from open source security and license compliance issues.
Regular code reviews are helpful for development teams to keep track of dependencies and the parts of their projects that depend on them. Developers should always be on the lookout for security announcements from the software packages they use. It’s also good practice to update dependencies when there are new updates, paying close attention to patch releases, which sometimes fix vulnerabilities that have been reported.
The aforementioned research by Veracode reported that 75 percent of known flaws are easily fixed by updating the code with minor revisions or patches. However, developers can also use tools to scan the dependency tree for security risks. A number of tools are available that integrate into an application’s build processes and detect all open source components in your software, generating reports on licensing, inventory, and security. Let’s review three of the most popular.
According to its documentation, Socket is known to detect and block supply chain attacks before they strike, preventing the worst possible outcomes. Socket runs static analysis on a package and all of its dependencies, including transitive dependencies, to look for specific risk markers. It uses deep package inspection to peel back the layers of a dependency and characterize its actual behavior.
Socket ensures security by preventing any compromised or hijacked packages from infiltrating your supply chain. It monitors real-time changes to your package.json, detecting when dependency updates introduce new usage of risky APIs, including network, shell, filesystem, and more. Finally, it blocks any red flags in open source code, including malware, typo-squatting, hidden code, misleading packages, permission creep, and more.
Not only does Socket detect vulnerabilities in your dependencies, it also provides actionable feedback about dependency risks. To use Socket, install the Socket GitHub app to get real time dependency scanning and reports with every pull request:
Node-Secure CLI is a Node js command line tool from NodeSecure. It fetches and deeply analyzes the dependency tree of a given npm package or a local project with a package.json, outputting a .json file that contains all the metadata and flags about each package. The CLI is capable of opening JSON code and displaying all the dependencies in a network, helping you identify potential security threats and issues:
With the data that is generated, it is possible to quickly identify varying security and quality issues across projects and packages. The Node-Secure CLI package is available on npm. You can easily install it with the command below:
npm install @nodesecure/cli -g
After installation, the nsecure binary will be available in the terminal. To see all the available commands, run nsecure --help.
N|Solid is an observability and insights tool from NodeSource that is used to manage Node.js performance and security. With N|Solid, data is collected directly from your application architecture and stack, then organized and displayed in a clear, user-friendly manner within the N|Solid console.
Using a series of tests, npm packages are scored to give developers an idea of how much risk their software is exposed to and how to mitigate it. Node.js packages are evaluated against security, compliance, and code quality. To get started with N|Solid, visit the sign up page.
It is good practice for developers to become more aware of the dependencies they let into their projects, reducing the possibility of hackers inserting malicious code into open source dependencies.
Creating open source usage policies for your teams and monitoring usage of open source dependencies, as well as being on the look out for new vulnerabilities will help to drastically improve the security of open source dependencies.
In this article, we reviewed Socket, Node-Secure CLI, and N|Solid, three open source tools for running reports on the security of the transitive and direct dependencies in your project. These can also help you review licensing and inventory, preventing future headaches for you and your application users.
Monitor failed and slow network requests in productionDeploying a Node-based web app or website is the easy part. Making sure your Node instance continues to serve resources to your app is where things get tougher. If you’re interested in ensuring requests to the backend or third-party services are successful, try LogRocket.
LogRocket is like a DVR for web and mobile apps, recording literally everything that happens while a user interacts with your app. Instead of guessing why problems happen, you can aggregate and report on problematic network requests to quickly understand the root cause.
LogRocket instruments your app to record baseline performance timings such as page load time, time to first byte, slow network requests, and also logs Redux, NgRx, and Vuex actions/state. Start monitoring for free.
Would you be interested in joining LogRocket's developer community?
Join LogRocket’s Content Advisory Board. You’ll help inform the type of content we create and get access to exclusive meetups, social accreditation, and swag.
Sign up now
Compare Prisma and Drizzle ORMs to learn their differences, strengths, and weaknesses for data access and migrations.
It’s easy for devs to default to JavaScript to fix every problem. Let’s use the RoLP to find simpler alternatives with HTML and CSS.
Learn how to manage memory leaks in Rust, avoid unsafe behavior, and use tools like weak references to ensure efficient programs.
Bypass anti-bot measures in Node.js with curl-impersonate. Learn how it mimics browsers to overcome bot detection for web scraping.
Learn more →
