Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Node Security Platform, nsp, npm audit @roppong...
Search
urahiroshi
May 29, 2018
Programming
1
950
Node Security Platform, nsp, npm audit @roppongi.js#3
Roppongi.js#3 の資料です
urahiroshi
May 29, 2018
Tweet
Share
More Decks by urahiroshi
See All by urahiroshi
組織拡大でカルチャー崩壊を防ぐためにできること
urahiroshi
0
350
プロダクトのスケールによって顕在化しうるリスクをどう管理するか?
urahiroshi
8
6k
Mercari_Frontend_CircleCI.pdf
urahiroshi
2
2.7k
SET活動のすすめ.pdf
urahiroshi
1
1.5k
Other Decks in Programming
See All in Programming
バイブコーディング超えてバイブデプロイ〜CloudflareMCPで実現する、未来のアプリケーションデリバリー〜
azukiazusa1
2
740
202507_ADKで始めるエージェント開発の基本 〜デモを通じて紹介〜(奥田りさ)The Basics of Agent Development with ADK — A Demo-Focused Introduction
risatube
PRO
5
1.3k
「次に何を学べばいいか分からない」あなたへ──若手エンジニアのための学習地図
panda_program
3
680
GPUを計算資源として使おう!
primenumber
1
300
Flutterと Vibe Coding で個人開発!
hyshu
0
100
変化を楽しむエンジニアリング ~ いままでとこれから ~
murajun1978
0
590
What's new in AppKit on macOS 26
1024jp
0
180
型で語るカタ
irof
1
880
11年かかって やっとVibe Codingに 時代が追いつきましたね
yimajo
0
220
QA x AIエコシステム段階構築作戦
osu
0
220
階層化自動テストで開発に機動力を
ickx
1
450
構造化・自動化・ガードレール - Vibe Coding実践記 -
tonegawa07
0
160
Featured
See All Featured
Being A Developer After 40
akosma
90
590k
Fantastic passwords and where to find them - at NoRuKo
philnash
51
3.3k
Build The Right Thing And Hit Your Dates
maggiecrowley
37
2.8k
Product Roadmaps are Hard
iamctodd
PRO
54
11k
Fight the Zombie Pattern Library - RWD Summit 2016
marcelosomers
234
17k
GraphQLとの向き合い方2022年版
quramy
49
14k
Keith and Marios Guide to Fast Websites
keithpitt
411
22k
Code Reviewing Like a Champion
maltzj
524
40k
Dealing with People You Can't Stand - Big Design 2015
cassininazir
367
26k
Easily Structure & Communicate Ideas using Wireframe
afnizarnur
194
16k
Adopting Sorbet at Scale
ufuk
77
9.5k
Done Done
chrislema
185
16k
Transcript
Node Security Platform, nsp, npm audit גࣜձࣾϝϧΧϦ SET(Software Engineer in
Test) @urahiroshi (Hiroshi Urayama)
Node Security Platform • https://nodesecurity.io • npmύοέʔδͷ੬ऑੑใΛใࠂɺऔಘͰ͖Δϓ ϥοτϑΥʔϜ • ੬ऑੑΛใࠂ͢Δ
=> ύοέʔδͷϝϯςφʹ௨ => मਖ਼ or 45ܦաͰެ։͞ΕΔ (https://nodesecurity.io/report)
None
nsp • https://github.com/nodesecurity/nsp • Node Security Platformͷ੬ऑੑใΛجʹɺΠϯετʔϧ͍ͯ͠ Δnpmύοέʔδͷ੬ऑੑΛݕ͢Δ͜ͱ͕Ͱ͖Δύοέʔδ • Node
Security PlatformΛӡӦ͢Δ ^Lift Security ͕npm, Incʹങऩ͞ΕɺnpmίϚϯυʹύοέʔδ ͷ੬ऑੑݕ(npm audit)͕Έࠐ·ΕͨͷͰɺࠓޙੵۃతʹ͏ ཧ༝ͳ͍ • GitHubϦϙδτϦΞʔΧΠϒԽ͞Ε͍ͯΔ
`nsp check`
npm audit •
[email protected]
,
[email protected]
͔Β͑ΔΑ͏ʹͳͬͨ • npm installͨ͠ࡍʹࣗಈతʹ࣮ߦ͞ΕɺαϚϦ͕දࣔ͞ΕΔʢҎԼʣ •
[email protected]
͔Βjsonग़ྗ(`npm audit —json`)੬ऑੑͷ͋Δύοέʔδͷࣗ ಈߋ৽(`npm audit fix`)ػೳ͕Ճ͞ΕɺΑΓ͑ΔΑ͏ʹͳͬͨ • nspͷڍಈͱޓੑͳ͍ • Ұ෦ͷύοέʔδؚ͕·Ε͍ͯΔͱΤϥʔʹͳΔ߹͕͋Δ (nspͳΒେ ৎͳͷʹ…) https://github.com/npm/npm/issues/20604
`npm audit`
yarnͷ߹ • nspnpm audityarn.lockʹඇରԠ - nsp: package.json͚ͩͰ੬ऑੑใදࣔ - npm audit:
ΤϥʔʹͳΔ
yarnͷ߹ 1. (nspͷ߹ͷΈ) [nsp-preprocessor-yarn](https://github.com/ hermanbanken/nsp-preprocessor-yarn) Λ͏ • ੵۃతʹ͏ཧ༝ͳ͍ 2. [synp](https://github.com/imsnif/synp)Ͱyarn.lockΛpackage-
lock.json ʹม͢Δ 3. `yarn install` ͨ͠ޙʹ `npm shrinkwrap` ͢Δ 4. ͍ۙ͏ͪʹ `yarn audit` ͕Ͱ͖ͦ͏ʁ https://github.com/yarnpkg/yarn/issues/5808
CIͰ͏ • CircleCIͷScheduling JobΛͬͯఆظతʹ࣮ߦ • िҰճ: ΞυόΠβϦҰཡΛSlackʹ௨ • ৄࡉCircleCIͷ࣮ߦϩά͔ΒݟΔ(ҎԼྫ)
• ຖ: ΞυόΠβϦҰཡʹมԽ͕͋ΕSlack௨ (લճͷ࣮ߦ ݁ՌΛCircleCIͷΩϟογϡʹอଘͯ͠ൺֱʹ͏)
ӡ༻ͯ͠Έͯ • ݕग़͞ΕΔ੬ऑੑͷߋ৽සଟ͍ͷͰɺӡ༻ίετ͚ͬ͜͏ େ͖͍ • ྫ: webpackͷ੬ऑੑݕࠪͯ͠Έͨ߹ • ҎԼͷྲྀΕͰௐ͍ࠪͯ͠Δ 1.
ৄࡉ(େମHackerOneͷϦϯΫ͕͍͍ͭͯΔ)Λݟͯ੬ऑੑͷ ༰ɺൃੜ݅Λ֬ೝ 2. ϥΠϒϥϦͷ༻్ͱরΒ͠߹ΘͤͯϦεΫ͕͋Δ͔அ ʢϏϧυ༻్ͷϥΠϒϥϦͰ͋ͬͯඞͣ҆શͩͱݴ͑ͳ͍ɻ੬ ऑੑͷ༰࣍ୈʣ
ӡ༻ͯ͠Έͯ • ύονग़ͯͳ͍ͷ͕݁ߏଟ͍ • “It is our recommendation to not
install or use this module at this time.” • ͳ͔ͳ͔͙͢ʹରԠ͍͠ • npmʹΈࠐ·Εͨ͜ͱͰɺͬͱରԠ͞Ε͍ͯ ͘ & ରԠ͞Εͳ͍ύοέʔδࣗવ౫ଡ͞Ε͍ͯ ͘Α͏ʹͳΔ͜ͱΛظ
͝ਗ਼ௌ͋Γ͕ͱ͏͍͟͝·ͨ͠ • ϝϧΧϦͰSET (Software Engineer in Test) ͷϝϯόʔΛਵ࣌ืूதͰ͢