Third-Party Libraries
Learn how to secure Vue applications while working with third-party libraries.
We'll cover the following...
Can we use third-party libraries?
Nowadays, it’s very common to install a new dependency whenever specific functionality is needed. Do we need a fancy multiselect? Let’s check npm for packages. How about tooltip components?
Let’s head to npm. Third-party libraries are very useful because, instead of starting from scratch, we can just pick a library, plug it in, and have working functionality. There’s no need to write stuff from scratch or maintain it. Someone else does that job. Open-source is great, but it can occasionally backfire.
For instance, in 2018, malicious code was found in an npm package called event-stream. The infected version was downloaded around 8 million times within 2.5 months. The malicious code was designed to steal bitcoins and redirect any mined bitcoins to the attacker’s wallet. Another example is a malicious twilio-npm library discovered in 2020. The library opened a new TCP reverse shell on all computers where it was downloaded and then waited for new commands to run on the infected user’s computers. What can we do to protect ourselves from malicious code?