An attractive lesson from Drupal Hackcamp 2018 was about JS Security.
It is very known that nowadays, there are many JS tools / frameworks integrated in Drupal projects. And because of this the JS security became important for Drupal projects.
NPM is probably the most used JS package manager, and the main reason is because it has a lot of packages which can help for achieving the desired functionality in a project. Many open-source developers around the world use NPM to share and borrow packages contributing at this large software registry with more than 600 thousands packages.
Despite these good things which came in the help of developers, there are some cons like no standard libraries, lack of features, inconsistency in the language, which should make the developers thing at the JS security when using packages.
What if for example the code from our application comes from hundred of developers because of the dependencies of packages from NPM used? Should we trust all those developers? Also it is very known that a good percentage of NPM packages have issues. Can our application have vulnerabilities because of such packages?
In reality to avoid any risk an application should be free of dependencies, which means no to NPM. But what if we still need some functionalities which are available on NPM?
In the case of using NPM, for the beginning, developers should be aware of the possible risks, look at the code of packages they install and try to limit the dependencies.
A very useful tool is SNYK. Snyk enables to find, and more importantly fix known vulnerabilities in open source packages. And it’s built by the best developers and security researchers in the space.
Another solution if using NPM is NPM Enterprise which allows you to run NPM’s infrastructure behind your company's firewall. It's designed for teams that need:
- Easy internal sharing of private modules.
- Better control of development and deployment workflow.
- Stricter security around deploying open-source modules.
- Compliance with legal requirements to host code on-premises.
- Better code discovery and sharing within their organisation
Using of a private/caching npm repository server is also helpful, and Sinopia is the package for this. It allows you to have a local npm registry with zero configuration. You don't have to install and replicate an entire CouchDB database. Sinopia keeps its own small database and, if a package doesn't exist there, it asks npmjs.org for it keeping only those packages you use.
In final words it is better to give an importance to the JS security and use the tools that can make an application secure.