NPM vulnerabilities and PHP dependencies vulnerabilities are common problems in modern web development. We use a lot of third-party libraries. Javascript libraries using npm. PHP libraries using composer. It is expected that we will encounter various vulnerabilities. Both npm and composer assets and their dependencies must be updated regularly.
In this post, I describe my own custom solution to get notifications from automatic audits (npm and composer) using a simple cron job.
In most cases, any vulnerability issue will be fixed by updating your dependencies:
npm dependencies audit
npm outdated
npm outdated is a quick and easy way to find outdated dependencies. However “outdated” does not mean “vulnerable”.
pontikis@athena:cliowp-blocks-boilerplate$ npm outdated
Package Current Wanted Latest Location Depended by
@wordpress/scripts 24.2.0 24.5.0 24.5.0 node_modules/@wordpress/scripts cliowp-blocks-boilerplate
npm audit
npm audit is the ideal solution to detect known vulnerabilities in our dependencies.
pontikis@athena:cliowp-blocks-boilerplate$ npm audit
# npm audit report
loader-utils 2.0.0 - 2.0.2
Severity: critical
Prototype pollution in webpack loader-utils - https://github.com/advisories/GHSA-76p3-8jx3-jpfq
fix available via `npm audit fix`
node_modules/loader-utils
1 critical severity vulnerability
To address all issues, run:
npm audit fix
npm audit fix
Moreover, npm audit fix will fix the issues found by npm audit command:
pontikis@athena:cliowp-blocks-boilerplate$ npm audit fix
changed 1 package, and audited 1297 packages in 3s
197 packages are looking for funding
run `npm fund` for details
found 0 vulnerabilities
composer dependencies audit
composer outdated
composer outdated is similar to npm outdated.
composer audit
composer audit is similar to npm audit, but it is available from composer 2.4
Put them all together
This simple bash script will perform an audit for vulnerabilities (or outdated dependencies). Create it in a common user space. Important: do not run npm or composer as root.
nano /home/username/srcipts/audit_assets.sh
and make it executable:
chmod +x /home/username/srcipts/audit_assets.sh
#!/usr/bin/env bash
audit="$(date)"
audit+=$'\n\n'
audit+=$'npm audit results:\n\n'
audit+=`cd /var/www/html/yoursite; /usr/bin/npm audit`
audit+=$'\n\nnpm outdated results:\n\n'
audit+=`cd /var/www/html/yoursite; /usr/bin/npm outdated`
audit+=$'\n\ncomposer outdated results:\n\n'
audit+=`cd /var/www/html/yoursite; /usr/local/bin/composer outdated`
audit+=$'\n\nJOB DONE!\n'
echo "$audit" | /usr/bin/mail -s"Assets audit on your-server.com" you@your-email.com
Cron automation
With the following cron configuration, the script will run every day at 5 o’clock.
crontab -e
0 5 * * * /path/to/scripts/audit_assets.sh #Audit NPM and Composer assets
Third-party solutions
There are many third-party solutions that automate npm or composer audits. Some of them are:
npm vulnerability scanners
composer vulnerability scanners
- Testing for PHP Composer security vulnerabilities with Snyk
- A PHP dependency vulnerabilities scanner based on the Security Advisories Database
- Repman
Reference
- Auditing package dependencies for security vulnerabilities
- Official documentation – npm-audit
- New
composer auditCommand and security audits in Composer 2.4
Entrepreneur | Full-stack developer | Founder of MediSign Ltd. I have over 15 years of professional experience designing and developing web applications. I am also very experienced in managing (web) projects.
