October 29, 2015Woody Rousseau2 min read
I just attended a great keynote at Velocity 2015 in Amsterdam, by Guy Podjarny (@guypod) and Assaf Hefetz, founders of Snyk.io, a tool in beta which was just unveiled. The keynote highlighted how most developers are blindly trusting third-party open-source dependencies. It also introduced a package and a service making it easy for one to find vulnerabilities, and in some case to fix them.
About 11% of npm dependencies include vulnerabilities, and it often takes a very long time for those to be fixed, if it ever happens. Still think your package is as secure as it gets?
Snyk is a Node.js CLI package, which can thus be very easily globally installed with
npm install -g snyk
It provides a command which will test, using the Snyk API, your Node.js dependencies in a recursive fashion, not only finding your package’s dependencies, but also your package’s dependencies’ dependencies.
If snyk has nothing on you, snyk won’t be able to help any further. But if not, it also provides another command to fix dependencies by:
All those features are available through an interactive prompt using the following command:
snyk protect -i
Snyk seems like a promising tool, as it automatically detects some security flaws, which are often overlooked when building applications with development speed as the main focus.
Since it just launched in Beta, I’m guessing Snyk.io's team is eager to get some feedback.
Web Developer at Theodo