How do you (security) audit external software using NPM packages?
source link: https://lobste.rs/s/imzzrj/how_do_you_security_audit_external
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
At my current client I’ve been doing more and more security related tasks such as audits on external software. Currently the type of software I audit are WordPress plugins. I have more than 15yrs of experience with WordPress and in the past I could fairly easily assess a WordPress plugin’s potential security impact(s). Nowadays not so much due to the seemingly increased usage of npm packages included with these plugins.
Often these plugins do not include a package.json, package-lock.json nor are the javascript files readable (bundled & minified). This makes using npm audit near impossible. Good for production, less for audits.
Sometimes I can grab development files such as package.json, package-lock.json from a public repo, but in the case of so-called ‘premium’ plugins a public repo is usually absent.
So my question is: How do you (security) audit external software depending on npm packages?
PS: I’ve asked this question also on Hacker News. I did not see any rules about cross-posting so if this is not ok, please let me know and I won’t cross-post in the future anymore.
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK