Fixing Vulnerability in My Package

GODORI·2018년 12월 2일
2
post-thumbnail

I found vulnerability in my repository from the github notifications.

til2-1.png

According to this this tweet, the original maintainer transferred ownership to someone they didn't trust.
til2.jpeg

Now I know what is the vulnerable package, but still have no idea which dependency is the problem. Let's see what npm audit gives us. I found nodemon uses malicious dependency package.
til2-2.png

nodemon already updated new version vulnerableility fixed! So we can download the latest version of it.

image.png

With npm outdated command, can check if there's an update for the installed packages.
til2-3.png

  • The Current column means the version installed locally.
  • The Wanted colomn tell us the latest version of the package we can upgrade to without breaking our existing code.

If you want to latest version, type npm install [PACKAGE-NAME]@latest and add an option --save for updating only this package.
til2-4.png

Awesome! Now we removed vulnerabilities from our packages!

til2-5.png

profile
잡식개발

2개의 댓글

comment-user-thumbnail
2018년 12월 2일

Great article! (어쩐지 영어로 댓글을 달아야 할것 같네요)
저도 nodemon 쓰는 저장소가 있는데 참고 해야겠어요

1개의 답글