October 29, 2015 Woody Rousseau 2 min read

Trusting your dependencies a bit too much?

I just attended a great keynote at Velocity 2015 in Amsterdam, by Guy Podjarny (@guypod) and Assaf Hefetz, founders of Snyk.io, a tool in beta which was just unveiled. The keynote highlighted how most developers are blindly trusting third-party open-source dependencies. It also introduced a package and a service making it easy for one to find vulnerabilities, and in some case to fix them.

About 11% of npm dependencies include vulnerabilities, and it often takes a very long time for those to be fixed, if it ever happens. Still think your package is as secure as it gets?

Snyk

Snyk is a Node.js CLI package, which can thus be very easily globally installed with

npm install -g snyk

It provides a command which will test, using the Snyk API, your Node.js dependencies in a recursive fashion, not only finding your package’s dependencies, but also your package’s dependencies’ dependencies.

snyk test

If snyk has nothing on you, snyk won’t be able to help any further. But if not, it also provides another command to fix dependencies by:

Updating dependencies which now provide fixes for found vulnerabilities.

Adding patches for those which do not.

Adding the test command to your testing worflow, with an integration to your CI system.

Allowing the installation of the patches to your install workflow, on npm’s postinstall step.

step. Adding comments for vulnerabilities you do not want to fix for some reasons.

Monitoring fixes and patches for vulnerabilities which are yet to be fixed.

All those features are available through an interactive prompt using the following command:

snyk protect -i

Sounds good?

Snyk seems like a promising tool, as it automatically detects some security flaws, which are often overlooked when building applications with development speed as the main focus.

Since it just launched in Beta, I’m guessing Snyk.io's team is eager to get some feedback.

[joinus]