NPM 감사란 무엇입니까?

7307 단어 npmjavascriptnode
NPM 감사 - 보안 내장. NPM(Node Package Manager)은 Node.js용 패키지 관리자이며 JavaScript 개발자가 노드 모듈을 공유할 수 있도록 합니다. NPM에 대한 자세한 내용은 Intro to NPM .

버전 6에서 npm은 npm audit로 보안 감사를 실행하고 보안 취약성에 대한 패키지 종속성을 평가할 수 있는 새로운 명령을 도입했습니다.

npm 감사를 사용하여 종속성 트리를 재귀적으로 평가하고 코드의 품질과 무결성을 보호하는 방법을 살펴보겠습니다.

NPM 감사란 무엇입니까?

npm audit is a built-in security feature, that scans your project for security vulnerabilities. It provides an assessment report that contains details of the identified anomalies, potential fixes, and more.

It checks the current version of the installed packages in your project against known vulnerabilities reported on the public npm registry . 보안 문제를 발견하면 보고합니다. 보고서에는 식별된 취약점의 심각도 수준이 포함되어 있습니다. 취약점이 발견되지 않으면 명령이 0 종료 코드로 종료됩니다.

심각도는 문제의 영향과 악용 가능성에 따라 결정됩니다. 심각도 및 권장 조치 수준은 다음과 같습니다.


심각도 수준
권장 조치


위독한
즉시 해결

높은
최대한 빨리 해결

보통의
시간이 허락하는 한 해결

낮은
당신의 재량으로 해결


💰: $100 (credits) for you to start your cloud journey with DigitalOcean!

npm 감사의 이점

npm audit offers the following advantages:

  • Big community of open source contributors, who endeavor to find and address vulnerabilities in npm packages.
  • Identifies the security issues clearly and labels them in terms of the level of severity.
  • If a fix has been published, it provides an out-of-the-box option for resolving the discovered anomalies.

npm 감사를 실행하는 방법

Ensure you have npm v6 or higher installed, by typing in your shell:

npm -v

If you have to upgrade run the following command to update to the latest version:

npm install npm@latest –g

Whenever you install a package via npm, npm install , the npm audit command will automatically in the background and output the security report after successful installing the dependencies.

If you want to run it manually, just go to the src folder of your project and use the command:

npm audit

The npm audit command requires a package-lock.json and, a package.json to be present.

The audit report will be printed in the console. If you want the report in JSON format, run:

npm audit --json

You can also specify the audit result to contain a certain level of severity, for example only critical results

npm audit --audit-level=critical

The full synopsis of npm audit is:

npm audit [--json|--parseable|--audit-level=(low|moderate|high|critical)]

Take security serious and always check the report and take action as indicated.

보안 취약점을 수정하는 방법

If vulnerabilities were found, you have two options:

  • Apply the suggested fix automatically
  • Take manual actions to fix them

1) Apply the suggested fix automatically. If you want npm to automatically fix the vulnerabilities, run npm audit fix . Note that some vulnerabilities cannot be fixed automatically and will require manual intervention or review. There will be additional output in the console.

Configs: npm audit fix runs a full-fledged npm install under the hood, all configs that apply to the installer will also apply to npm install. Commands like npm audit fix --package-lock-only will work as expected.

If the update requires moving to a major version, then you’ll need to add the force flag:

npm audit fix --force

2) Take manual actions: If there are no patches for the identified issues, the security audit report will give you more details on how to carry out manual investigations to address them.

You can take any of the following actions to resolve the vulnerabilities:

  • Look for mitigating factors: In some limited cases, you may continue consuming the package even when the weakness is still existing. For instance, the security risk may only be present on certain operating systems.
  • Update dependent packages: If a fix has been released, but the packages that depend on the vulnerable package have not been amended to reference the patched version, it may be necessary to undertake some manual interventions. You can start by locating the package, that should be updated by looking at the Path field on the security audit report. This will let you locate the vulnerable package, update the reference to the vulnerable package and, this may solve the security issue.
  • Fix the vulnerability yourself: If a patch has not been released and nobody is working on it, fix it yourself and submit a pull request.

npm audit is a very useful feature that can enhance the security of your code, you can identify vulnerabilities and get actionable instructions on how to get rid of the risks.

Thanks for reading and if you have any questions , use the comment function or send me a message .

If you want to know more about Node Node Tutorials .

참조(그리고 큰 감사):

WhiteSource , NPM audit

좋은 웹페이지 즐겨찾기