Vulnerable and Outdated Components

Explore how to manage vulnerable and outdated JavaScript components by auditing dependencies with npm and yarn. Understand the importance of package-lock files, automated security checks, and using tools like GitHub actions and Dependabot to maintain secure and stable applications.

We'll cover the following...

Using components with known vulnerabilities
What's in a bundle?
npm audit and yarn audit
Automation

Using components with known vulnerabilities

The Vulnerable and Outdated Components category currently sits at position six on the OWASP Top Ten. In 2017, the category was called Using Components with Known Vulnerabilities and sat at position nine. It moved up in rank in 2021 partly because the issue is difficult to test and assess risk for. In fact, it actually ranked number two in the 2021 OWASP Top Ten community survey.

The category has “Components” in the name, but JavaScript developers probably refer to them as dependencies. It's almost impossible these days to be a JavaScript developer and not work with the npm registry, which hosts more than one million shared JavaScript packages, making it the largest software registry in the world. The npm registry is one of the organizations at the center of the flourishing JavaScript open-source community.

Using shared libraries, frameworks, or other dependencies speeds up development ...

1.Introduction

2.Common Vulnerabilities, Attacks, and Preventions

3.Sensitive Data Exposure

4.HTTP and APIs

Assessment

5.Conclusion

Vulnerable and Outdated Components

Using components with known vulnerabilities