How to Fix Vulnerability Issues in Node.JS & Gulp with NPM Override

How to Fix Vulnerability Issues in Node.JS & Gulp with NPM Override

How to Fix Vulnerability Issues in Node.JS & Gulp with NPM Override

In this video I show you how to use NPM Override and NPM Audit Fix to resolve vulnerability issues in Node.JS, Gulp, or any task manager or bundler that uses Node.js like Webpack, Grunt etc.

UPDATED VIDEO:
   • Fix NPM Vulnerabilities with NPM Over…  

Vulnerability issues are common when using these tools. Especially if the packages or modules aren’t maintained.

NPM does a good job notifying you if there are any vulnerability issues that you should be aware of.

Sometimes you will want to use NPM Overrides, and other times you’ll want to use NPM Audit Fix. I explain both options.

Make sure to always test thoroughly to make sure everything works as expected.

In this video, I particularly demonstrate how to fix the security issues in Node.JS and in Gulp. But the process is also applicable with the other tools I mentioned.


#nodejs #npm #gulp


Content

0.179 -> What's up, everybody?
1.36 -> Welcome back to another video in this episode.
3.65 -> I want to go over how you can fix and solve security vulnerabilities within your Node.js
9.37 -> projects.
10.58 -> They can be using either regular NPM scripts and modules, or you could be using something
16.73 -> like Gulp or Webpack, whatever bundler you're using.
21.21 -> I'm going to show you two ways to get this done.
23.94 -> So first thing first, what I'm going to do here is just explain to you the project, the
29.859 -> sample project.
31.07 -> I'm working on my Windows computer.
33.07 -> I'm going to be using VS code.
35.03 -> I do have git installed and I have git bash available.
38.35 -> I'm going to be using the git bash terminal.
41.2 -> So that way the command will work either on windows with this setup that I have or work
47.19 -> on Mac OS or Linux as well.
49.07 -> All right.
50.07 -> So right here in vs code, I’m gonna open up the terminal by default here, it opens
55.17 -> up a PowerShell.
56.59 -> Now I just like working in git bash.
59.69 -> So now you see it's going to change into the bash terminal itself.
63.75 -> I'm going to just go over some very basic commands.
67.85 -> The first one I'm going to show you is ls - lah.
71.1 -> And you see here we have nothing in this folder.
76.049 -> So I'm going to make a directory with the mkdir command and I'm just going to call this
80.84 -> project.
84.31 -> Go back to the ls command.
85.76 -> And now you see we have the project folder.
89.16 -> So I'm going to change into that folder itself.
93.119 -> So we're CD for change directory into project.
96.759 -> Now you see we're in the project folder.
99.01 -> I'm going to move the terminal screen up a little.
101.549 -> So now what I want to do is first show you the standard way to fix any vulnerability
107.189 -> issues.
108.189 -> So I'm going to type out NPM init just create my package.JSON file.
112.8 -> Now I'm just going to press enter for all of these prompts because this is just for
117.49 -> demonstration purposes.
120.829 -> It's going to show me what's going to be outputted.
125.479 -> I'll just type out.
126.659 -> Yes, I'm going to hit control l to bring the terminal window up again.
130.489 -> So we see more.
132.219 -> What I want to do now is just show you that file.
135.14 -> So I'll type out cat package.JSON and we see the information inside that file.
142.84 -> Right now, there's really nothing there.
144.669 -> If We type out a ls -lah.
148.12 -> We see we have that file and nothing else.
150.599 -> So what I want to do now is I'm going to install a vulnerable package or module.
155.749 -> So I'm going to type out NPM install -- That's two dashes.
163.79 -> Save -dev lodash.
168.01 -> And again, I'm going to be installing the older version of lodash.
171.2 -> So We can show you the vulnerability.
173.639 -> So I'll type out @4.17.1.
178.65 -> So I'm installing lodash now.
180.299 -> I'll press enter.
181.299 -> After a few seconds, it shows what it installed and you get this message one critical severity
187.76 -> vulnerability to address all issues.
189.87 -> run NPM audit fix --force.
193.629 -> Or you can run NPM audit for more details.
196.449 -> So let me just type out NPM audit and then you're going to get some information about
201.549 -> what the issues are.
203.12 -> And these are links that you can go to, to the announcement.
205.659 -> And now, if we want to just use a default way of fixing these vulnerabilities, we could
210.609 -> just type out NPM audit fix.
214.209 -> All right.
216.709 -> So now you see that we have zero vulnerabilities.
219.98 -> That's the builtin way, the default way of using NPM audit fix on a project.
225.269 -> Now you want to be careful with this command, especially the --force, because it might have
229.939 -> some breaking changes.
231.199 -> And I'll show you another way of how you can deal with these vulnerabilities to make sure
236.089 -> that you don't have any vulnerable dependencies in your projects.
239.709 -> Let me clear the screen.
241.48 -> I'm going to type out ls -lah again.
245.569 -> And now I'm going to remove the node modules folder with the remove space -rf this is for
254.329 -> recursive enforcing the deletion node modules.
260.389 -> It's going to remove all those modules.
262.3 -> Then I'm going to remove the package lock json file and just remove.
268.599 -> I'm using tab completion for this.
272.46 -> Now we’ll do an ls again we see we only have the package.json file.
278.039 -> So now I'm going to edit that file.
279.419 -> And again, I'm going to only be working in terminal because I don't want to have to jump
283.349 -> back and forth between the editor and the terminal itself.
286.25 -> So I'm going to use a terminal editor for this one.
289.41 -> I'll use Nano and then that file, it opens it up inside the terminal editor.
296.67 -> I'm going to go down and I'm going to delete the dev dependency section.
308.18 -> Press control x yes.
311.229 -> Enter and then I'll just cat that file again.
316.639 -> And you see we're back to where we started.
318.409 -> And let me clear the screen.
320.02 -> All right.
321.02 -> So now what I want to do is show you another way in how to deal with vulnerabilities using
325.699 -> NPM overrides.
327.61 -> So what I'm going to use here is gulp for demonstration.
331.09 -> All right.
332.129 -> So first thing I want to do is make sure I have gulp installed on my system.
338.76 -> It'll show me I have the Cli version, 2.3.0, and the local version is unknown.
344.43 -> If you don't have the Cli version installed, you could always type out this command NPM
350.31 -> install -- global gulp-cli.
359.27 -> I already have it so I don’t need to do that.
361.949 -> What I want to do now is just install a local version of gulp, so I'll just type out NPM
368.069 -> install gulp.
369.74 -> All right.
372.4 -> So after a little bit of time, you see installed 350 packages and it audited 351 packages in
379.12 -> 27 seconds.
380.389 -> It shows you here that we have six high severity vulnerabilities.
384.86 -> Now, for this, we don't want to run the npm audit fix because that will have breaking
390.09 -> changes.
391.09 -> So let's get more information quickly with NPM audit and we can see the information it
398.03 -> gives us if we do use the NPM audit fix --force, it'll install gulp 3.9.1, which is a breaking
407.56 -> change.
408.56 -> Then it also shows you some of the issues that it has.
411.22 -> I'm going to click this advisory right here and you see what the issue is.
415.819 -> We have a glob parent before 5.1.2 vulnerable to regular expression, denial of service in
422.669 -> enclosure regex.
424.24 -> Sounds pretty bad.
425.449 -> Is this really an issue?
426.569 -> Let's take it to StackOverflow.
428.87 -> And if we look up here, why do I keep getting an error when trying to install?
433.129 -> Gulp.
434.129 -> So you scroll down and we go to the answer.
436.469 -> It says Those are not errors.
438.49 -> Those are warnings issued by NPM.
440.65 -> The Gulp team is aware of those warnings, but it has decided that they do not need to
445.229 -> be regarded.
446.229 -> Instead, they insist that NPM audit is broken and should be fixed.
450.87 -> Let's click on this and you see the reference to it right here.
453.999 -> All right.
454.999 -> So for this, it says it's not really an issue, but just to be cautious, it's always good
458.55 -> to see if you can update any outdated dependencies or vulnerable dependencies.
462.729 -> So let's go back to our editor.
465.749 -> If we go here, we can see that we're using in the glob parent chokidar, a vulnerable
472.139 -> version of glob parent inside of this folder here.
475.639 -> We can always take a look at that folder if you want.
483.639 -> And we see all the folders and files that are installed or the modules.
488.31 -> You can dive into this and spend some time taking a look at it.
491.99 -> But that's not the purpose of this video.
493.659 -> So I'll just show you how to quickly fix it.
497.099 -> So now we're going to be using overrides within NPM.
501.6 -> So I'm going to nano the package JSON file again.
506.11 -> I'm going to go down right after the second to last closing curly brace.
515.82 -> I'm just going to put in double quotation marks, overrides colon curly braces inside
526.21 -> of those curly braces.
527.21 -> I'm going to first type out, chokidar Colon.
534.339 -> And I want to use a more recent version of it.
538.69 -> 3.5.3.
540.18 -> What I'm saying here is basically any package of dependency that I use, I want to make sure
544.94 -> is always using the more recent version of this module or of this package.
549.25 -> Then I'll use control X to save to buffer press enter.
553.86 -> Now if we do NPM audit again, you're going to see you still have six vulnerabilities.
559.66 -> What we have to do is update our NPM packages.
564.38 -> So just type our NPM update.
566.29 -> I got to go back into the package JSON file right here.
576.95 -> Got to put in a comma control x.
580.24 -> Yes.
581.27 -> And then I'll use NPM update again.
583.69 -> Now, you see, we only have four high severity vulnerabilities.
588.03 -> We could do NPM audit again.
591.68 -> It'll tell you what the issues are.
593.57 -> So I'm going to Nano, the package.JSON file.
598.47 -> Again, this time I'll put in a comma where I need them and now I'm going to type out
604.68 -> glob parent 6.0.2 control x yes to write the buffer.
617.81 -> Enter lets cat that file we see, we have it there.
624.18 -> Now I'm going to NPM update it.
629.55 -> Now you see it has zero vulnerabilities.
633.21 -> Just to confirm I’ll type out NPM audit again and we see no vulnerabilities.
638.589 -> So now we have two ways to deal with security vulnerabilities within our Node.js projects.
645.07 -> We have the standard way with the NPM audit fix, but you have to be careful with that
650.529 -> one.
651.529 -> Sometimes it's better to go and deal with the dependencies independently if you can.
655.399 -> So the second way is using overrides with NPM, and if you want more information on that,
660.27 -> you can go to this website.
661.709 -> This is the NPM docs and the override section and gives you some more information how to
666.82 -> work with that.
667.82 -> All right.
668.82 -> So that said, if you're working with Node.js and you're working with either just NPM modules
673.79 -> that depend on vulnerable versions of a particular package or if you're using Gulp or Webpack
680 -> or any other bundle or task manager that has any vulnerable versions of dependencies, these
685.589 -> are two ways that you can resolve those.
687.79 -> If you want to find the version number of the most recent version of NPM package, you
693.6 -> can just NPM we’ll say chokidar and it tells you what the most recent version is.
703.56 -> So hopefully you found this video helpful if you did give it a thumbs up.
707.37 -> Don't forget to subscribe.
708.37 -> Hit the notification icon.
709.74 -> Leave a comment down below and I'll see you in the next episode.
713.589 -> Happy coding.

Source: https://www.youtube.com/watch?v=d5vfi-l4KWQ