~ 2 min read
Where to find npm vulnerabilities?
If you’re looking to educate yourself on the latest npm vulnerabilities, you’ve come to the right place.
In this article, I’ll call out some open sources to find security vulnerabilities in the npm ecosystem and how to stay up-to-date with the latest security threats.
Snyk Vulnerability Database
To kick us off, the Snyk Vulnerability Database is a great place to start. It’s a comprehensive database of vulnerabilities in open-source projects, including npm packages. You can search for vulnerabilities by package name or a CVE.
Disclaimer: I work at Snyk as a developer advocate
Specifically what makes the Snyk vulnerability database stand out is the following highly enriched metadata:
- The database is extremely timely, accurate and up-to-date
- The vulnerability report includes dates of the security disclosure and also the publishing time
- The vulnerability report includes a description the vulnerability itself with instructions on how to remediate it
- Enriched metadata with links to the GitHub commit, GitHub pull request, a link to the npm package, or the researcher’s gist
- It uses CVSS 4 scoring
GitHub Security Advisories
The GitHub Security Advisories is another good place to find vulnerabilities in npm packages. Specifically it is helpful due to the free-text search.
Google’s OSV
Another security vulnerability resource is the Open Source Vulnerabilities (OSV). It’s a new project by Google that aims to provide a comprehensive vulnerability database for open-source projects.
Specifically, OSV also provides an API layer to query the vulnerabilities programmatically which could prove handy, depending on your use-case.
