How to Scan, Analyze and Fix Security Vulnerabilities using NPM AUDIT & Retire.js.

How to Scan, Analyze and Fix Security Vulnerabilities using NPM AUDIT & Retire.js.

How to Scan, Analyze and Fix Security Vulnerabilities using NPM AUDIT & Retire.js.

npm audit is a new feature, introduced with npm@6
Update npm version: npm i -g npm@latest

Please like, share and subscribe if you found the video useful.

Checkout the Playlists:

👉 FrontEnd JavaScript Interview Questions:    • #4 JavaScript Interview Questions | O…  
👉 JavaScript Tutorials:
   • Difference Between var, let \u0026 const  
👉 Essentials for Web developers:
   • How Does the Browser Cache Works?  
👉 React Hooks \u0026 Latest concepts:
   • Rules of Hooks In React | React Hooks  
👉 HTML Tutorials:
   • WebStorage APIs SessionStorage \u0026 Loca…  
👉 CSS Tutorials:
   • How Does CSS Work | The Engine of Web…  
👉 Coding Challenges:
   • Coding Challenge #5: Array Transforma…  
👉 Best Practices \u0026 Common mistakes:
   • Best Practices of Using IMPORT statement  
👉 React js for Beginners:
   • Why To Use JSX in Reactjs ?  
👉 Things To Know As JavaScript/FrontEnd Developer:
   • Things To Know As JavaScript Develope…  

LIKE | SHARE | SUBSCRIBE 😊
#javascript #reactjs #react #webdevelopment #frontenddevelopment #uidevelopment
#javascriptinterviewquestions #interviewquestions #codingchallenges

👇👇👇
Follow me on
Telegram: https://t.me/+HTxs0I-Jvu75RxWM
Instagram: https://www.instagram.com/rethinkingui/
Twitter: https://twitter.com/suresh9058
LinkedIn: https://www.linkedin.com/in/suresh-me


Content

0 -> Hi all in this video we'll learn how to scan
3.891 -> and fix the security issues in our project.
7.61 -> So this is a sample reactjs project. So not only reactjs project if it is
13.086 -> angular view or any of the projects which has package JSON file and all the
17.84 -> dependencies are declared like this. It's good to do the security scan test on this.
22.69 -> So we need to scan all these third party dependencies.
25.93 -> Why to scan the dependencies, dev dependencies optional.
30.69 -> Tendencies means these are third party dependencies where this code is open
35.466 -> source and with the help of this code hackers may enter into the application
39.776 -> and they can do a huge loss for us. So these are the reasons we need to do
45.032 -> a security scan before going to the production environment because this
48.573 -> causes a loss for us to the business and the production environment as well.
53.91 -> So we need to do a security scan for all these third party dependencies and we
58.315 -> need to find what all the issues are there. Uh, security issues are there in
63.592 -> this third party dependencies. So thereafter we'll show you how to fix them.
67.56 -> So before going to that I mean whenever we have NPM. Package dot JSON file we'll
74.48 -> be doing that NPM install. I've taken this from the git repo this project.
79.24 -> So now to run to work on this project I need to do NPM install. So let me do that.
85.03 -> NPM NPM install and nbmi both are the same. So once you do NPM I,
91.13 -> it installs all the dependencies and finally
94.466 -> it will automatically run NPM audit as well. NPM audit will run and it will give the report.
100.81 -> So to have NPM audit.
104.11 -> We need to have NPM version 6 because NPM
107.926 -> audit is available from 6 dot X version. So from this version 6 dot X
113.627 -> version only NPM audit is available. So if you have lower versions then
118.708 -> please update your NPM version to the latest. So this is the command for that.
123.78 -> So I'm providing you NPM install NPM at the rate latest hyphen GG stands for the globally.
130.24 -> We are trying to install NPM globally so that you will be getting the latest
135.067 -> version of six so that you can use NPM audit. So fine so.
139.824 -> Have taken a new project. NPM I am installing all the dependencies
145.819 -> once it installs all the dependencies. It will provide us NPM audit
151.078 -> under the hood what happens. NPM will be installing all the dependencies
155.687 -> 1 by 1 and it will check in the NPM registry whether this dependency
160.976 -> has any security threats or not. If there are any security threats,
165.48 -> it will provide us the NPM audit as well, so let me show you that.
170.45 -> I will directly run the NPM audit. So if you run NPM audit it will
176.122 -> show list of options like this. I mean now we got NPM audit so these are the four.
182.51 -> If you can observe here there are four security threats 2 or low, two or high.
188.244 -> Here there will be 4 security levels, I mean severity levels high and critical issues.
194.87 -> Security issues should be fixed as soon as possible but that's coming to the low
199.216 -> and moderate can be fixed when in the next releases or we can take some time to.
203.71 -> Fix them so there would be 4 security threats. So as we got too high issues we need
209.467 -> to address it as soon as possible. So now check we have 4 security issues from 4.
216.1 -> Three of them require a semantic versioning major dependency update.
221.95 -> So what it what does it mean? So let's check that. So and the another one one is it is
227.313 -> saying that it needs a manual review. So let's. Check both of them.
232.786 -> So if you go to the top. So the issues would be in this manner.
238.356 -> This is one of the issue as we have four issues two are high and two are low.
243.05 -> The high issues here it will provide the security I mean severity level and the cause of
249.782 -> the issue remote code execution. Where this security I mean where this issue is present means in
256.661 -> this package serialize JavaScript in this package we got an issue
261.265 -> security threat is there but this. Package was not directly installed by us.
267.22 -> We have installed React Scripts from this React Scripts this package was came.
273.62 -> You can find the path here. We have in short only react kids React scripts is dependent upon this
280.178 -> webpack plugin and this webpack plugin is dependent upon this JavaScript.
284.61 -> So this is the reason we got this issue and this is saying the dependency on this.
289.71 -> So like this you can understand. And the project, so this is how we are going to scan.
296.5 -> So the first step of scanning the project was done. Now you need to analyze what all
301.693 -> the issues and what all the fixes. So if you go to the top it will it is
306.963 -> showing NPM audit security report and you can see here run this command.
311.57 -> It is, it is. It will provide. NPM will provide us maximum help to resolve all the security issues.
317.41 -> It is asking us to install React Scripts to 4.0 dot version so that
323.741 -> three security threats would be resolved. It is giving an hint for us but
329.938 -> it is saying that there would be a potential potentially there.
334.55 -> Breaking changes why this is a warning us this because.
340.13 -> Here in the React scripts we have 3.4 dot 1 version.
345.29 -> In this version we have issue.
347.82 -> It is asking us to move to 4.0 dot 1 version.
354.11 -> Here we know summer in the semantic versioning. First would be the major release,
357.97 -> second one is minor release. And third one is a patch as from three major version we are
364.456 -> shifting to the four major version. It is warning us whether it would be an breaking changes.
371.31 -> So we need to check like so don't
375.54 -> install or multiple security issues. Don't try to resolve multiple
380.89 -> security issues at a time because all these security issues may resolve
386.145 -> some breaking issues where your project may not work where your application may not work as earlier.
392.21 -> So resolve each each security issue at a time so that and test
397.894 -> your application once again. Whether there are any breaking changes or not in that way it is uh,
403.95 -> it is very good to track all the system, all the application flow as well.
409.66 -> Here there is more information on tab also let me show it control.
414.63 -> Click so it will open. It will open in the browser.
418.96 -> So there are some more information and some advisers as well how to resolve this.
424.76 -> So he will give certain description why this is an attack and here he
430.061 -> will give a solution to upgrade to three dot 1.0 or later. So these are the hints like you
436.616 -> need to understand whether this is a really an issue for you or it it
441.326 -> occurs only to particular operating system or in particular domain like that. So here the.
447.32 -> The solution is we need to upgrade to three dot 1.0. Also you can see the versions tab.
452.51 -> So it is showing what all what are all the affected versions. So all these versions if anyone are
458.372 -> using all the any of these versions this security threat would be there for them.
463.21 -> So these are the unaffected versions. So we need to use one of these version
467.451 -> according to our project dependency such that our project should not break.
471.73 -> So try using unaffected versions. So let's go back here.
478.1 -> So this is how you need to analyze your security issues.
483.74 -> So. You can also do NPM. Audit fix where NPM will help us to fix
490.384 -> any of the automatically fixed issues. If there are any small issues,
494.82 -> it would be fixed automatically. So we need to do NPM audit fix for that.
500.35 -> So never do a NPM audit fix force like let me show you.
506 -> So this is a warning he's throwing NPM audit fix hyphen F force.
511.54 -> So if you do this it will try to forcefully install all the dependencies
516.062 -> even though those are major major dependencies as well it will install.
521.01 -> Where the breaking changes may occur and your application may not work as earlier so don't do
527.772 -> NPM fix hyphen force anytime. So try to do the suggestion what he
533.095 -> has given. So this is a suggestion. It was given in PM is asking to install
537.126 -> us react scripts to the latest version. So let's do that in PM install.
542.55 -> React scripts to the latest version.
548.13 -> Happiness so. To install this,
551.47 -> I means high stands here for the install
554.814 -> and have an S means I'm installing this dependency under dependencies.
560.89 -> Hyphen D, capital D means dev dependencies. We are asking to install in the dev dependencies.
566.97 -> Here hyphen capital S means we are asking to.
570.86 -> React scripts to installing the dependencies. So now we we could able to
577.064 -> install React Scripts latest. So you can check all the three issues would be gone.
582.77 -> Here we have four issues as we are updating to the. Major updates.
587.65 -> Three issues should be gone in three issues. Two are the high issues.
593.58 -> So now we would be having only one lower issue. So this is how we need to fix.
600.07 -> So most of the cases all the security issues will have two fixes. So in the way we need to fix or
606.666 -> two things number one would be. Updating the upgrading the version
610.775 -> and the number 2 is finding a best alternative and moving to that.
616.49 -> If you can't fix or if there is no fix in that part for that particular package,
621.57 -> then it's better to find an alternative or
624.794 -> you can raise an pull request in the GitHub. For the particular package as well,
630.63 -> we have that option as well. So let me show you this once it is done.
635.17 -> So meanwhile I will show you how to manually.
640.11 -> So I this is a manual review so it is asking us to manually review this
645.049 -> dependency because it is unable to take any decision on this security threat.
650.23 -> It is not able to give an advice on this. So for that you need to you have few options
656.647 -> so it is showing an issuing node fetch OK. Let me show you once it is fixed.
662.57 -> Yep, now it was fixed. So we have only found one lower severity issue.
668.12 -> So let's get that report. To get the report you need to run NPM audit.
673.36 -> Now you will be getting 1 lower issue. Yep we got one. So it will clearly
678.532 -> mention like this manual review. It means it is not able to take an
682.792 -> action to resolve this dependency. So now we need to take an action on this.
687.42 -> So as I said in. They should severity is low.
692.75 -> This is because of DDoS attack. This security threat is
698.274 -> present in node fetch. And these are the possible updates.
703.18 -> So it is saying the patch is available in the below updates. So from where this issue is coming means
709.52 -> it is coming from the React Google Maps. So this is a path.
714.45 -> This is the main path react Google Maps where this map is depend. All these are the dependency
720.79 -> libraries for this map. So it is exist in the node fetch. Issue is exist in the node fetch.
726.41 -> So try to open this command. So it will give more information
732.084 -> on the particular security. Issue we can read this so few of the issues.
737.64 -> So this is a fix it is saying so you can fix means you can upgrade
742.888 -> to the next level or the second option is if you are not able to find any of the fix for this you
749.247 -> need to find the best alternative. So for that you can go to the same website
754.455 -> and you can find alternatives for that. For example, if there is some issue in the QR
760.562 -> code package which you are using. So you can go to the number of QR code packages with the quality.
767.35 -> So you can filter here the quality, popularity and maintenance. So we need to go to the quality.
772.59 -> I mean I'm sorting by quality, so the most popular quality, I mean there won't be any security,
779.33 -> less security issues. So those comes to the top. So you need to find the best alternative
784.958 -> for that and you can use that library in place of a security threat library.
789.453 -> Yeah, in that way you need to manually review each and everything.
794.73 -> In some cases you need to upgrade the immediate library like if if there is
800.85 -> no solution to update to the node fetch, there is an option to update
806.864 -> isomorphic fetch package such that this issue may fix automatically.
811.37 -> If not, you can also update FBJS as well. So here in this website has
817.716 -> been provided these options. So if there is a package and the
823.212 -> dependent package package with the vulnerabilities so you you can update the dependent package here.
829.68 -> So he's asking to update this to fix this manual review security issues as well.
835.56 -> So the one more option we have so this is regarding NPM audit how to scan how to fix.
842.05 -> So one more we have is retry. Like NPM install,
846.136 -> I'm trying to install globally retire.
849.483 -> So this is another package so it scans for
854.04 -> the more security issues than what NPM does. So just run. Read uh,
859.73 -> retire in the project which you are there. So it will give a number of issues same
865.56 -> as NPM audit with the high severity and issue number and why the issue was
870.716 -> happened so also he will be providing. The.
876.34 -> Fix as well in the GitHub link will be providing the GitHub link. So let's check this.
881.648 -> There is an issue with the. JQuery 3.2 dot one so he's asking
887.229 -> us to migrate to. The fix is available in three dot 5.0 it seems,
891.6 -> so we are using 3.2 dot one here. So he's asking us to migrate from
897.929 -> 3.2 dot one to three dot 5.0. Where the security?
902.505 -> Issue has an fix. In 3.2 dot one he is mentioning
908.114 -> that there is an chance of cross. Site cross site scripting here
913.75 -> is mentioned there is a chance of cross site scripting. So that's the reason he's asking
920.542 -> us to upgrade. So you can also install a reader
925.45 -> to check for more security issues. It is also same as what we have done for NPM audit.
932.01 -> Also security issues means not fixing once. You need to keep this NPM audit
936.374 -> in your continuous integration and deployment lifecycle as well. Because you know day by day the
941.411 -> security issues would be coming and the patches would be coming at the same time.
944.89 -> We need to update our packages to make sure that. We don't expose our code to the
951.615 -> security threats and we are up to date with all the packages security packages,
955.86 -> so that's the way we'll be safe. So this is all about the
960.704 -> how to scan and how to fix, how to analyze the security issues.
966.82 -> So thanks for watching. Please subscribe for more videos.

Source: https://www.youtube.com/watch?v=eN2i9V3ksMY