Javascript Development

Node.js 9.x.x and npm 6.x.x – “npm audit” to identify and fix security vulnerabilities in dependencies

June 3, 2018 JavaScript, Javascript Development, Modern Web Development, Node.js, NPM, OpenSource, Package Manager, Tech Newz, TypeScript, Web No comments

nodejs-npm

It has been a while I have been reading about the major changes that areintroduced in Node.js 9.x.x / NPM 6.x.x and myself faced by Node.js application going to a toss after I upgraded to Node.js 9.x.x, as I always keep Node.js up to date in my development environment.

I use NVM(Node Virtual Manager) to switch between different version of Node.js and I love the flexiblity NVM provides. So I was able to quickly switch back to 8.x.x version, when I figured out this change.

But npm packgage downgrade did not work using “npm install –g [email protected] due to old traces of 6.x.x   I had to clean up my npm cache and do npm install again.

Introduction – The “npm audit” command:

Recently with 6.0.0 NPM team has introduced many improvements such as :

a.) Provide protection against insecure code into the workflow during your npm install . When a user downloads code from the npm Registry, npm will review the request against the Node Security Platform database and return a warning if the code contains a vulnerability.

b.) Package signing for publishers.   npm-signature field will allow users of npm packages to verify the integrity of the package regardless of the tools they use to retrieve it or the registry from which they download it.

c.) Security auditing capability (which I am covering in this article).

The audit capability, which provides an ability to perform a security audit  on your project and dependency components.  To simplify it provides a moment-in-time security review of your project’s dependency tree.

  • It will scan your project for any vulnerabilities. 
  • You can choose the option to automatically install the compatible updates vulnerable dependencies.
  • Audit reports contain information about security vulnerabilities in your dependencies.
  • This report also contains necessary steps to be taken to fixe these vulnerability. For example, by running an npm install <package>@new-version.
  • It would work very well with your private/enterprise registries such as artifactory etc. 
  • It  will allow the developer to recursively analyze trees of dependent code to identify specifically what’s insecure.

The audit command submits a description of the dependencies configured in your project to your default registry and asks for a report of known vulnerabilities.

Quick Insight on the new commands:

  • npm audit      – Scan your project for vulnerabilities and just show the details, without fixing anything.
  • npm audit [—json]      – To provide report in Json format.
  • npm audit fix   – to scan and fix all vulnerabilities
  • npm audit fix –only=prod     – to skip updating devDependecies
  • npm audit fix –force  – will install semver-major updates to all top level dependencies.
  • npm audit fix –dry-run –json   – to do a dry run on the fixes and provide you a report.

NB: Npm audit fix runs a full  npm install under the hood, all configs that apply to the “npm audit fix”  will also apply to npm install.

References:

[NPM Tip] Error: self signed certificate in certificate chain

May 10, 2018 JavaScript, Javascript Development, OpenSource, TypeScript, Web, Web Development No comments

As a developer, if you are behind a corporate proxy that assigns an intermediatory self signed SSL certificate to every request to provide secure content filtering as part of cybersecurity measures, I am sure you might have gone through the pain to get it working when working with NodeJS.

if you have Admin access to your windows machine, you could simply try the following fix:

    • Simply Add an Environment Variable
Environment Variable Name: NODE_TLS_REJECT_UNAUTHORIZED, Value: 0

image

image

Hope that solves your problem.

[NPM Tip] Rewriting the default protocol for GitHub package references

May 9, 2018 JavaScript, Javascript Development, OpenSource, TypeScript, Web, Web Development No comments

Some times as a Modern Web Developer you will face some “npm install” as some of the packages would be referring to git/ssh protocol to reference private packages from Git Hub.

This would fail when you are behind a corporate proxy.

Rewriting the default protocol for GitHub, run the following snippet in your command line snippets:

git config --global url."https://github.com/".insteadOf [email protected]
git config --global url."https://".insteadOf git://

TypeScript for Visual Studio 2012–v0.8.3.1

March 30, 2013 .NET, Community, Frameworks, JavaScript, JavaScript, Javascript Development, Microsoft, MSDN, TypeScript, Updates, VisualStudio, VS2012, Web Development No comments

Microsoft has released an Incremental update to TypeScript for Visual Studio 2012 – the version 0.8.3.1, which is the first update to the v0.8.3 released in Feb 2013.

You can download the latest bits from here:

Download TypeScript for Visual Studio 2012 – v0.8.3.1