In this post, I describe my own custom solution to get notifications from automatic audits (npm and composer) using a simple cron job.
In most cases, any vulnerability issue will be fixed by updating your dependencies:
npm dependencies audit
npm outdated is a quick and easy way to find outdated dependencies. However “outdated” does not mean “vulnerable”.
pontikis@athena:cliowp-blocks-boilerplate$ npm outdated Package Current Wanted Latest Location Depended by @wordpress/scripts 24.2.0 24.5.0 24.5.0 node_modules/@wordpress/scripts cliowp-blocks-boilerplate
npm audit is the ideal solution to detect known vulnerabilities in our dependencies.
pontikis@athena:cliowp-blocks-boilerplate$ npm audit # npm audit report loader-utils 2.0.0 - 2.0.2 Severity: critical Prototype pollution in webpack loader-utils - https://github.com/advisories/GHSA-76p3-8jx3-jpfq fix available via `npm audit fix` node_modules/loader-utils 1 critical severity vulnerability To address all issues, run: npm audit fix
npm audit fix
Moreover, npm audit fix will fix the issues found by
npm audit command:
pontikis@athena:cliowp-blocks-boilerplate$ npm audit fix changed 1 package, and audited 1297 packages in 3s 197 packages are looking for funding run `npm fund` for details found 0 vulnerabilities
composer dependencies audit
composer outdated is similar to
composer audit is similar to npm audit, but it is available from composer 2.4
Put them all together
This simple bash script will perform an audit for vulnerabilities (or outdated dependencies). Create it in a common user space. Important: do not run
composer as root.
and make it executable:
chmod +x /home/username/srcipts/audit_assets.sh
#!/usr/bin/env bash audit="$(date)" audit+=$'\n\n' audit+=$'npm audit results:\n\n' audit+=`cd /var/www/html/yoursite; /usr/bin/npm audit` audit+=$'\n\nnpm outdated results:\n\n' audit+=`cd /var/www/html/yoursite; /usr/bin/npm outdated` audit+=$'\n\ncomposer outdated results:\n\n' audit+=`cd /var/www/html/yoursite; /usr/local/bin/composer outdated` audit+=$'\n\nJOB DONE!\n' echo "$audit" | /usr/bin/mail -s"Assets audit on your-server.com" firstname.lastname@example.org
With the following cron configuration, the script will run every day at 5 o’clock.
0 5 * * * /path/to/scripts/audit_assets.sh #Audit NPM and Composer assets
There are many third-party solutions that automate npm or composer audits. Some of them are:
npm vulnerability scanners
composer vulnerability scanners
- Testing for PHP Composer security vulnerabilities with Snyk
- A PHP dependency vulnerabilities scanner based on the Security Advisories Database
- Auditing package dependencies for security vulnerabilities
- Official documentation – npm-audit
composer auditCommand and security audits in Composer 2.4