I just attended a great keynote at Velocity 2015 in Amsterdam, by Guy Podjarny (@guypod) and Assaf Hefetz, founders of Snyk.io, a tool in beta which was just unveiled. The keynote highlighted how most developers are blindly trusting third-party open-source dependencies. It also introduced a package and a service making it easy for one to find vulnerabilities, and in some case to fix them.
About 11% of npm dependencies include vulnerabilities, and it often takes a very long time for those to be fixed, if it ever happens. Still think your package is as secure as it gets?
Snyk is a Node.js CLI package, which can thus be very easily globally installed with
npm install -g snyk
It provides a command which will test, using the Snyk API, your Node.js dependencies in a recursive fashion, not only finding your package’s dependencies, but also your package’s dependencies’ dependencies.
If snyk has nothing on you, snyk won’t be able to help any further. But if not, it also provides another command to fix dependencies by:
- Updating dependencies which now provide fixes for found vulnerabilities.
- Adding patches for those which do not.
- Adding the test command to your testing worflow, with an integration to your CI system.
- Allowing the installation of the patches to your install workflow, on npm’s
- Adding comments for vulnerabilities you do not want to fix for some reasons.
- Monitoring fixes and patches for vulnerabilities which are yet to be fixed.
All those features are available through an interactive prompt using the following command:
snyk protect -i
Snyk seems like a promising tool, as it automatically detects some security flaws, which are often overlooked when building applications with development speed as the main focus.
Since it just launched in Beta, I’m guessing Snyk.io‘s team is eager to get some feedback.