Running npm audit when using private registry

As I wrote previously, NPM got a great tool for checking security of the dependencies – npm audit.

However, if running npm audit and using private package registry (Proget, Artifactory, etc), it may fail with “npm ERR! 400 Bad Request – POST” when trying to send audit details collected about your dependencies for checking to https://<YOUR FEED URI>/-/npm/v1/security/audits – the assumed security audit endpoint of the private registry. Most likely, your registry doesn’t replicate official npm security API.

To fix the issue, simply add the public registry endpoint to your npm audit command line:

npm audit --registry="https://registry.npmjs.org/"

New tool for making sense of npm-audit output

Managing Node.js dependencies and their security has never been a fun task. My heart stops for a few moments whenever I open node_modules folder and see how much stuff my minimalistic one-page app is pulling from the depth of web.

In attempt to fix it, this year, NPM acquired a great project – NSP, Node Security Platform that consisted of a vulnerability data feed and CLI. NSP security advisory feed was merged into NPM tool, but CLI was discontinued. Instead, we’ve got a new command – npm audit. However, the original NSP was able to produce much nicer output comparing to npm-audit which seems to be hated even by NPM developers. There were a few open issues on Github about prettifying its output but they all are now abandoned.

My main problem with npm-audit is that it’s actually a bit dumb – it can’t exclude devDependencies, fail on a severity threshold, and resulting JSON is just a mess. My main need is to simply integrate security check into build system and automatically parse the results. With current state of npm-audit it was not possible.

So it was time to act – I created “npm-audit-ps-wrapper” tool – a very simple Powershell wrapper around npm-audit which fixes all the problems I just described. And most important, it is ready for automation and use with CI/CD.

https://github.com/doshyt/npm-audit-ps-wrapper

Example of npm-audit output:

npm audit -j

{
  "actions": [
    {
      "action": "install",
      "module": "aurelia-cli",
      "target": "0.35.1",
      "isMajor": false,
      "resolves": [
        {
          "id": 338,
          "path": "aurelia-cli>npm>fs-vacuum>rimraf>glob>minimatch>brace-expansion",
          "dev": false,
          "optional": false,
          "bundled": true
        },
        {
          "id": 338,
          "path": "aurelia-cli>npm>fstream>rimraf>glob>minimatch>brace-expansion",
          "dev": false,
          "optional": false,
          "bundled": true

Example of npm-audit-ps-wrapper output:

{
    "VulnerabilitySource": "sshpk",
    "VulnerabilityTitle": "Regular Expression Denial of Service",
    "VulnerableVersions": "<1.13.2 || >=1.14.0 <1.14.1",
    "PatchedVersions": ">=1.13.2 < 1.14.0 || >=1.14.1",
    "VulnerabilityChains": [
      "aurelia-cli>npm>node-gyp>request>http-signature>sshpk",
      "aurelia-cli>npm>npm-registry-client>request>http-signature>sshpk",
      "aurelia-cli>npm>request>http-signature>sshpk"
    ],
    "VulnerabilitySeverity": "high",
    "AdvisoryUrl": "https://npmjs.com/advisories/606"
  },
  {
   ...
  }
}

Benefits of the wrapper tool:

  • Switch to ignore devDependencies.
  • Resulting JSON contains a list of vulnerabilities with minimal viable information about them.
  • Switch to fail on a set severity threshold level.
  • Write output to a JSON file.
  • Switch for silent execution.

Hope it helps to streamline security of your JS libs and make it a bit better!