How To Automatically Check composer and npm Vulnerabilities

NPM vulnerabilities and PHP dependencies vulnerabilities are common problems in modern web development. We use a lot of third-party libraries. Javascript libraries using npm. PHP libraries using composer. It is expected that we will encounter various vulnerabilities. Both npm and composer assets and their dependencies must be updated regularly.

In this post, I describe my own custom solution to get notifications from automatic audits (npm and composer) using a simple cron job.

In most cases, any vulnerability issue will be fixed by updating your dependencies:

npm dependencies audit

npm outdated

npm outdated is a quick and easy way to find outdated dependencies. However “outdated” does not mean “vulnerable”.

pontikis@athena:cliowp-blocks-boilerplate$ npm outdated
Package             Current  Wanted  Latest  Location                         Depended by
@wordpress/scripts   24.2.0  24.5.0  24.5.0  node_modules/@wordpress/scripts  cliowp-blocks-boilerplate

npm audit

npm audit is the ideal solution to detect known vulnerabilities in our dependencies.

pontikis@athena:cliowp-blocks-boilerplate$ npm audit
# npm audit report

loader-utils  2.0.0 - 2.0.2
Severity: critical
Prototype pollution in webpack loader-utils - https://github.com/advisories/GHSA-76p3-8jx3-jpfq
fix available via `npm audit fix`
node_modules/loader-utils

1 critical severity vulnerability

To address all issues, run:
  npm audit fix

npm audit fix

Moreover, npm audit fix will fix the issues found by npm audit command:

pontikis@athena:cliowp-blocks-boilerplate$ npm audit fix

changed 1 package, and audited 1297 packages in 3s

197 packages are looking for funding
  run `npm fund` for details

found 0 vulnerabilities

composer dependencies audit

composer outdated

composer outdated is similar to npm outdated.

composer audit

composer audit is similar to npm audit, but it is available from composer 2.4

Put them all together

This simple bash script will perform an audit for vulnerabilities (or outdated dependencies). Create it in a common user space. Important: do not run npm or composer as root.

nano /home/username/srcipts/audit_assets.sh

and make it executable:

chmod +x /home/username/srcipts/audit_assets.sh
#!/usr/bin/env bash
audit="$(date)"
audit+=$'nn'
audit+=$'npm audit results:nn'
audit+=`cd /var/www/html/yoursite; /usr/bin/npm audit`
audit+=$'nnnpm outdated results:nn'
audit+=`cd /var/www/html/yoursite; /usr/bin/npm outdated`
audit+=$'nncomposer outdated results:nn'
audit+=`cd /var/www/html/yoursite; /usr/local/bin/composer outdated`
audit+=$'nnJOB DONE!n'
echo "$audit" | /usr/bin/mail -s"Assets audit on your-server.com" you@your-email.com

Cron automation

With the following cron configuration, the script will run every day at 5 o’clock.

crontab -e
0 5 * * * /path/to/scripts/audit_assets.sh #Audit NPM and Composer assets

Third-party solutions

There are many third-party solutions that automate npm or composer audits. Some of them are:

npm vulnerability scanners

composer vulnerability scanners

Reference