Non-upgradable dependencies

Need

Prevent security vulnerabilities arising from dependencies that cannot be upgraded

Context

• Usage of JavaScript for developing modern web applications

• Dependency management using npm or yarn for package installation

Description

1. Non compliant code

/my-project
  │── /node_modules  <-- 🚨 Dependencies added to the project
  │   ├── lodash/
  │   ├── express/
  │   └── axios/
  │── index.js

Dependencies are downloaded and added directly to the project without using a version manager. In this example, the node_modules folder with three dependencies was added to the project, but there is no package.json file.

2. Steps

• Identify all the dependencies used in the code

• List all dependencies explicitly in the package.json file to allow proper version control and tracking

• Use version ranges (e.g., ^ or ~) instead of fixed versions to allow safe updates

• Regularly update the dependencies to the latest versions to ensure security patches and bug fixes are applied

• Consider using a dependency management tool to automate the process of managing and updating dependencies

3. Secure code example

/my-project
  │── .gitignore
    node_modules/
  │── package.json
     {
       "dependencies": {
         "lodash": "^4.17.21",
         "axios": "^1.4.0"...

Dependencies are defined in a package.json file so that a package manager like npm or yarn can track them and identify if they need updates. Additionally, the node_modules folder is excluded in the .gitignore file to prevent it from being added to the repository. When cloning the repository, dependencies must be installed using npm install.

References

• 079. Non-upgradable dependencies

On this page