Meteor’s recent transition to using NPM modules has opened up a world of possibilities for Meteor developers. Unfortunately, with great power comes great responsibility.
Along with a host of new functionality, NPM packages also come with a world of vulnerabilities and security concerns. In fact, over 14% of all NPM modules have known vulnerabilities.
Node Security Project
Thankfully, there are teams and tools dedicated to tackling the problem of documenting and cataloging known Node.js module vulnerabilities. A very popular option for scanning and monitoring your NPM dependencies for known vulnerabilities is the Node Security Platform.
In its most basic form, NSP offers a command line tool that scans your
package.json or your
npm-shrinkwrap.json for know vulnerabilities.
Because all of your NPM dependencies are saved in the
package.json file in your project root, using the
nsp tool to scan your Meteor project for vulnerabilities is a simple process:
> cd $YOUR_METEOR_PROJECT > nsp check (+) No known vulnerabilities found
If NSP finds and vulnerable dependencies, you’ll be given more information and hopefully an upgrade patch that will fix the issue.
> cd $YOUR_METEOR_PROJECT > snyk test ✓ Tested ... for known vulnerabilities, no vulnerabilities found.
I’m a big fan of Snyk. Their VulnDB is built on top of Node Security Project’s advisories database and is taking strides to improve and build upon that great foundation. At the time of writing this article, Snyk has documented 105 Node.js vulnerabilities in their vulnerability database.
The Snyk team also regularly posts insightful blog posts about a variety of security topics.
Meteor Package Dependencies
While NSP and Snyk are great options for testing your base project’s NPM dependencies for known vulnerabilities, there are other avenues for vulnerable Node packages to find their way into your Meteor project.
Pre-1.3 Meteor projects relied on using Meteor packages to pull in NPM dependencies or using the
meteorhacks:npm package to simulate direct dependencies within the base project. Both of these techniques obfuscate the actual NPM dependencies being used and make it difficult to scan them using traditional techniques.
Check out my post on Scanning Meteor Projects for Node Vulnerabilities for information on writing a bash script to dive into a Meteor project’s build bundle to call
nsp check or
snyk test on a project’s entire dependency tree.
Both the Node Security Platform and Snyk offer fantastic tools for scanning your Node.js and Meteor projects for known vulnerabilities. I recommend you pick one of these two tools and incorporate this type of vulnerability scanning into your development, deployment, and continuous integration workflow.
Using Snyk or NSP with a Meteor-specific vulnerability scanning tool such as Package Scan will help give you some peace of mind as you move forward developing fantastic Meteor applications.