Slide 1
Slide 1 text
੬ऑੑͷ͋ΔJavaScriptϥΠϒϥϦ
ͷ༻Λ͙ʹ
૯ؔαΠόʔηΩϡϦςΟ̡̩େձʢୈ14ճʣ
ฏ ণ࢜(@shisama)
Slide 2
Slide 2 text
ฏ ণ࢜ / Masashi Hirano
ɹɹɹɹ Kyoto office
@shisama_
@shisama
Node.js Core Collaborator
ؔNodeֶԂOrganizer
Slide 3
Slide 3 text
એ
https://nodejs.connpass.com/event/126358/
Slide 4
Slide 4 text
Agenda
• JavaScriptϥΠϒϥϦͷ੬ऑੑࣄ
• ੬ऑੑͷ͋ΔϥΠϒϥϦͷ༻Λ͙ʹ
Slide 5
Slide 5 text
JavaScriptϥΠϒϥϦͷ੬ऑੑࣄ
Slide 6
Slide 6 text
JavaScriptͷϥΠϒϥϦࣄ
• Node.js / npmͷొʹΑΓJavaScriptͷϥΠϒϥϦ͕രൃతʹ
૿͑ͨ
• Node.jsϑϩϯτΤϯυͳͲJSͷ։ൃͰଟ͘ͷϥΠϒϥϦ͕
ΘΕ͍ͯΔ
Slide 7
Slide 7 text
npmʹొ͞Ε͍ͯΔϥΠϒϥϦ͕
ѹతͳʹͳ͍ͬͯΔ
http://www.modulecounts.com/
Slide 8
Slide 8 text
npmʹొ͞Ε͍ͯΔϥΠϒϥϦ͕
ҟৗͳʹͳ͍ͬͯΔ
http://www.modulecounts.com/
͕ଟ͍ɺ
੬ऑੑͷ͋ΔϥΠϒϥϦଟ͍
Slide 9
Slide 9 text
JavaScriptϥΠϒϥϦͷ੬ऑੑࣄ
• ਓؾϥΠϒϥϦʹѱҙͷ͋Δίʔυ͕ૠೖ͞ΕΔࣄ݅
• ESLint (JavaScriptͷ࠷ϙϐϡϥʔͳ੩తղੳπʔϧ)ʹѱҙ
ͷ͋Δίʔυ͕ૠೖ͞Ε͍ͯͨ(20187݄)
• 1िؒʹ200ສDLͷϥΠϒϥϦevent-streamʹԾ௨՟Υ
Ϩοτ͔Β҉߸伴Λ౪Έग़͢ػೳ͕ૠೖ͞ΕΔ(201811݄)
Slide 10
Slide 10 text
JavaScriptϥΠϒϥϦͷ੬ऑੑࣄ
• ੈքͷτοϓ75,000ͷWebαΠτ(Alexaௐ)ͷ্Ґ37%͕Կ͔͠Βͷ
੬ऑੑͷ͋ΔJSϥΠϒϥϦΛ༻
• ϊʔεΠʔελϯେֶͷݚڀνʔϜʹΑΔௐࠪ݁Ռ(2017)
• ݹ͍ϥΠϒϥϦΛ༻͍ͯ͠Δ
• ࠂτϥοΩϯάɺιʔγϟϧϝσΟΞͷΟδΣοτʹຒΊࠐ·
Ε͍ͯΔ͜ͱ͕ଟ͍
Slide 11
Slide 11 text
੬ऑੑͷ͋ΔϥΠϒϥϦͷ༻Λ͙ʹ
Slide 12
Slide 12 text
npmͷηΩϡϦςΟͷऔΓΈ
• npmjs.comʹ֤ͯϥΠϒϥϦͷ੬ऑੑใࠂ͕Ͱ͖ΔΑ͏ʹͳ͍ͬͯΔ
• npm v6͔Βnpm auditίϚϯυ͕Ճ͞Ε͍ͯΔ
• ϓϩδΣΫτʹΠϯετʔϧͨ͠ϥΠϒϥϦͷ੬ऑੑΛνΣοΫ
• ϥΠϒϥϦͷΠϯετʔϧ࣌ʹ࣮ߦ͞ΕΔ
Slide 13
Slide 13 text
https://www.npmjs.com/package/typescript
֤ϥΠϒϥϦͰ੬ऑੑΛใࠂՄೳ
Slide 14
Slide 14 text
npm auditΛ࣮ߦ͢ΔͱΠϯετʔϧͨ͠
ϥΠϒϥϦͷ੬ऑੑΛݕग़ͯ͘͠ΕΔ
Slide 15
Slide 15 text
npm auditΛ͏
• CIͰ࣮ߦ͢Δ͜ͱͰ੬ऑੑͷ͋ΔϥΠϒϥϦͷσϓϩΠΛ͙
• IBM/audit-ciͱ͍͏ϥΠϒϥϦΛ͑੬ऑੑͷϨϕϧʹԠ͡
ͨݕग़Λߦ͑Δ
• npm audit fixίϚϯυͰ੬ऑੑͷ͋ΔϥΠϒϥϦΛࣗಈमਖ਼
Slide 16
Slide 16 text
npm audit fixΛ࣮ߦ͢Δͱ੬ऑੑ͕मਖ਼͞Εͨ
όʔδϣϯͷϥΠϒϥϦΛΠϯετʔϧ͢Δ
Slide 17
Slide 17 text
npm auditͰ
node security projectʹใࠂ͞Ε͍ͯͳ͍
੬ऑੑݕग़Ͱ͖ͳ͍
Slide 18
Slide 18 text
https://retirejs.github.io/retire.js/
Slide 19
Slide 19 text
Retire.jsΛ͏
• CVEHackerOneͷใࠂΛجʹ੬ऑੑΛݕग़͢Δπʔϧ
• ίϚϯυϥΠϯ͚ͩͰͳ͘ɺChromeFirefoxͷ֦ுػೳ͋Δ
• unpkg.comͳͲCDN͔ΒಡΈࠐΜͰ͍ΔϥΠϒϥϦ֬ೝ͢
Δ͜ͱ͕Ͱ͖Δ
• ͋ΒΏΔWebϖʔδͷ੬ऑੑΛ֬ೝ͢Δ͜ͱ͕Ͱ͖Δ
Slide 20
Slide 20 text
Retire.jsͷChrome ExtensionͰ
WikipediaΛνΣοΫ
(աڈͷΩϟϓνϟͰࠓطʹमਖ਼ࡁ)
Slide 21
Slide 21 text
https://snyk.io/
Slide 22
Slide 22 text
SnykΛ͏
• CVEͷσʔλΛجʹ੬ऑੑͷ͋ΔϥΠϒϥϦΛνΣοΫ͢Δαʔ
Ϗε
• ༷ʑͳݴޠʹରԠ͍ͯ͠Δ
• ੬ऑੑΛमਖ਼͢ΔPull RequestΛࣗಈੜ
• OSSແྉͰ͑Δ
Slide 23
Slide 23 text
https://snyk.io/vuln
Slide 24
Slide 24 text
·ͱΊ
• JavaScriptϥΠϒϥϦ͕๛͕ͩ੬ऑੑͷ͋ΔϥΠϒϥϦଟ
͍
• ੬ऑੑͷݕग़म෮πʔϧͰߦ͑Δ
Slide 25
Slide 25 text
͝੩ௌ͋Γ͕ͱ͏͍͟͝·ͨ͠