Security audit examples

Security is a big thing, and quite a complicated topic.
It's very hard to keep track of node packages, because there is no tool that tells you "This is a real security risk for you and your users".
What most tools tell you, is that a package as a security issue, and it's up to you to define how critical it is.
Even specialised tools like Github alerts for vulnerable dependencies or Snyk mostly generate tons of false-positive warnings that are mostly a big waste of time.

This makes tracking security risks and issues a quite complicated topic, and we don't provide any good solution at the moment.


            yarn security:audit

            // Tons of noise...

            ┌───────────────┬──────────────────────────────────────────────────────────────┐
            │ low           │ Prototype Pollution                                          │
            ├───────────────┼──────────────────────────────────────────────────────────────┤
            │ Package       │ yargs-parser                                                 │
            ├───────────────┼──────────────────────────────────────────────────────────────┤
            │ Patched in    │ >=13.1.2 <14.0.0 || >=15.0.1 <16.0.0 || >=18.1.2             │
            ├───────────────┼──────────────────────────────────────────────────────────────┤
            │ Dependency of │ concurrently                                                 │
            ├───────────────┼──────────────────────────────────────────────────────────────┤
            │ Path          │ concurrently > yargs > yargs-parser                          │
            ├───────────────┼──────────────────────────────────────────────────────────────┤
            │ More info     │ https://www.npmjs.com/advisories/1500                        │
            └───────────────┴──────────────────────────────────────────────────────────────┘
            283 vulnerabilities found - Packages audited: 1874
            Severity: 283 Low
            error Command failed with exit code 2.

At the time of writing, NRN comes with about 300 vulnerabilities of Low level.
That may sound like a lot, but you need to consider that most of those are due to small vulnerabilities that are only exploitable in a development environment.
The above warning, for example, is based on the concurrently package, which is only used during development, when running the app in debug mode.

What we recommend is to ignore Low level vulnerabilities, and rather focus on those that are more critical.
But even though, you'll notice most of them aren't real vulnerabilities. The real vulnerabilities are probably hidden behind all that noise.

If you know of a better way to manage security in your app, don't hesitate to open a Github issue/discussion about it!

Built-in utilities

Security audit examples