Non-upgradable dependencies - Javascript

Need

Prevent security vulnerabilities arising from dependencies that cannot be upgraded

Context

1. Usage of JavaScript for developing modern web applications
2. Dependency management using npm or yarn for package installation

Description

Insecure Code Example

/my-project
  │── /node_modules  <-- 🚨 Dependencies added to the project
  │   ├── lodash/
  │   ├── express/
  │   └── axios/
  │── index.js

Dependencies are downloaded and added directly to the project without using a version manager. In this example, the node_modules folder with three dependencies was added to the project, but there is no package.json file.

Steps

1. Identify all the dependencies used in the code
2. List all dependencies explicitly in the package.json file to allow proper version control and tracking
3. Use version ranges (e.g., ^ or ~) instead of fixed versions to allow safe updates
4. Regularly update the dependencies to the latest versions to ensure security patches and bug fixes are applied
5. Consider using a dependency management tool to automate the process of managing and updating dependencies

Secure Code Example

/my-project
  │── .gitignore
    node_modules/
  │── package.json
     {
       "dependencies": {
         "lodash": "^4.17.21",
         "express": "^4.19.2",
         "axios": "^1.4.0"
       }
     }

Dependencies are defined in a package.json file so that a package manager like npm or yarn can track them and identify if they need updates. Additionally, the node_modules folder is excluded in the .gitignore file to prevent it from being added to the repository. When cloning the repository, dependencies must be installed using npm install.

References

Last updated

2025/03/31