Vulnerable and Outdated Components
Explore how to manage vulnerable and outdated JavaScript components by auditing dependencies with npm and yarn. Understand the importance of package-lock files, automated security checks, and using tools like GitHub actions and Dependabot to maintain secure and stable applications.
We'll cover the following...
Using components with known vulnerabilities
The Vulnerable and Outdated Components category currently sits at position six on the OWASP Top Ten. In 2017, the category was called Using Components with Known Vulnerabilities and sat at position nine. It moved up in rank in 2021 partly because the issue is difficult to test and assess risk for. In fact, it actually ranked number two in the 2021 OWASP Top Ten community survey.
The category has “Components” in the name, but JavaScript developers probably refer to them as dependencies. It's almost impossible these days to be a JavaScript developer and not work with the npm registry, which hosts more than one million shared JavaScript packages, making it the largest software registry in the world. The npm registry is one of the organizations at the center of the flourishing JavaScript open-source community.
Using shared libraries, frameworks, or other dependencies speeds up development and is an essential part of a healthy programming language ecosystem. It can save time, and it is often safer and more reliable to use a trusted dependency than trying to reinvent the wheel by writing our own packages. Popular frameworks have often gone through years of iteration, maturation, and enhancement by hundreds if not thousands of developers. For example, as ...