Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Node Security Platform, nsp, npm audit @roppong...
Search
urahiroshi
May 29, 2018
Programming
1k
1
Share
Embed
Copy iframe code
Copy JS code
Copy link
Start on current slide
Node Security Platform, nsp, npm audit @roppongi.js#3
Roppongi.js#3 の資料です
urahiroshi
May 29, 2018
More Decks by urahiroshi
See All by urahiroshi
組織拡大でカルチャー崩壊を防ぐためにできること
urahiroshi
0
590
プロダクトのスケールによって顕在化しうるリスクをどう管理するか?
urahiroshi
9
6.8k
Mercari_Frontend_CircleCI.pdf
urahiroshi
2
2.7k
SET活動のすすめ.pdf
urahiroshi
1
1.6k
Other Decks in Programming
See All in Programming
Creating Composable Callables in Contemporary C++
rollbear
0
170
Datadog LLM Observabilityで実現する 安全なLLM Usage 管理
3150
0
120
ふつうのFeature Flag実践入門
irof
8
4.2k
Inside Stream API
skrb
1
800
Oxcを導入して開発体験が向上した話
yug1224
4
340
A2UI という光を覗いてみる
satohjohn
1
160
軽量Java基盤の設計 DIコンテナに頼らない、長期保守と1秒起動の実現 JJUG CCC 2026 Spring
macha64
0
600
どこまでゆるくて許されるのか
tk3fftk
0
260
Oxlintのカスタムルールの現況
syumai
6
1.2k
才能?センス?知らん、 続けたもん勝ちだ。-- 結婚・出産・癌を越えてなお、私がプロダクトを創り続ける理由
16bitidol
1
470
Snowflake Summitでの新機能 CoCo / CoWork / snowflake-summit-2026-overall-what-new-coco
tatsuhiro
1
190
脅威をエンジニアリングの糧にして――現場編 / Turning Threats into Engineering Fuel — Field Edition
nrslib
0
300
Featured
See All Featured
Effective software design: The role of men in debugging patriarchy in IT @ Voxxed Days AMS
baasie
0
440
Agile that works and the tools we love
rasmusluckow
331
22k
Speed Design
sergeychernyshev
33
1.9k
What’s in a name? Adding method to the madness
productmarketing
PRO
24
4.1k
Navigating Weather and Climate Data
rabernat
0
240
How Fast Is Fast Enough? [PerfNow 2025]
tammyeverts
3
620
The Invisible Side of Design
smashingmag
301
52k
Faster Mobile Websites
deanohume
310
32k
Build The Right Thing And Hit Your Dates
maggiecrowley
39
3.2k
Joys of Absence: A Defence of Solitary Play
codingconduct
1
400
RailsConf & Balkan Ruby 2019: The Past, Present, and Future of Rails at GitHub
eileencodes
141
35k
The AI Search Optimization Roadmap by Aleyda Solis
aleyda
1
5.9k
Transcript
Node Security Platform, nsp, npm audit גࣜձࣾϝϧΧϦ SET(Software Engineer in
Test) @urahiroshi (Hiroshi Urayama)
Node Security Platform • https://nodesecurity.io • npmύοέʔδͷ੬ऑੑใΛใࠂɺऔಘͰ͖Δϓ ϥοτϑΥʔϜ • ੬ऑੑΛใࠂ͢Δ
=> ύοέʔδͷϝϯςφʹ௨ => मਖ਼ or 45ܦաͰެ։͞ΕΔ (https://nodesecurity.io/report)
None
nsp • https://github.com/nodesecurity/nsp • Node Security Platformͷ੬ऑੑใΛجʹɺΠϯετʔϧ͍ͯ͠ Δnpmύοέʔδͷ੬ऑੑΛݕ͢Δ͜ͱ͕Ͱ͖Δύοέʔδ • Node
Security PlatformΛӡӦ͢Δ ^Lift Security ͕npm, Incʹങऩ͞ΕɺnpmίϚϯυʹύοέʔδ ͷ੬ऑੑݕ(npm audit)͕Έࠐ·ΕͨͷͰɺࠓޙੵۃతʹ͏ ཧ༝ͳ͍ • GitHubϦϙδτϦΞʔΧΠϒԽ͞Ε͍ͯΔ
`nsp check`
npm audit •
[email protected]
,
[email protected]
͔Β͑ΔΑ͏ʹͳͬͨ • npm installͨ͠ࡍʹࣗಈతʹ࣮ߦ͞ΕɺαϚϦ͕දࣔ͞ΕΔʢҎԼʣ •
[email protected]
͔Βjsonग़ྗ(`npm audit —json`)੬ऑੑͷ͋Δύοέʔδͷࣗ ಈߋ৽(`npm audit fix`)ػೳ͕Ճ͞ΕɺΑΓ͑ΔΑ͏ʹͳͬͨ • nspͷڍಈͱޓੑͳ͍ • Ұ෦ͷύοέʔδؚ͕·Ε͍ͯΔͱΤϥʔʹͳΔ߹͕͋Δ (nspͳΒେ ৎͳͷʹ…) https://github.com/npm/npm/issues/20604
`npm audit`
yarnͷ߹ • nspnpm audityarn.lockʹඇରԠ - nsp: package.json͚ͩͰ੬ऑੑใදࣔ - npm audit:
ΤϥʔʹͳΔ
yarnͷ߹ 1. (nspͷ߹ͷΈ) [nsp-preprocessor-yarn](https://github.com/ hermanbanken/nsp-preprocessor-yarn) Λ͏ • ੵۃతʹ͏ཧ༝ͳ͍ 2. [synp](https://github.com/imsnif/synp)Ͱyarn.lockΛpackage-
lock.json ʹม͢Δ 3. `yarn install` ͨ͠ޙʹ `npm shrinkwrap` ͢Δ 4. ͍ۙ͏ͪʹ `yarn audit` ͕Ͱ͖ͦ͏ʁ https://github.com/yarnpkg/yarn/issues/5808
CIͰ͏ • CircleCIͷScheduling JobΛͬͯఆظతʹ࣮ߦ • िҰճ: ΞυόΠβϦҰཡΛSlackʹ௨ • ৄࡉCircleCIͷ࣮ߦϩά͔ΒݟΔ(ҎԼྫ)
• ຖ: ΞυόΠβϦҰཡʹมԽ͕͋ΕSlack௨ (લճͷ࣮ߦ ݁ՌΛCircleCIͷΩϟογϡʹอଘͯ͠ൺֱʹ͏)
ӡ༻ͯ͠Έͯ • ݕग़͞ΕΔ੬ऑੑͷߋ৽සଟ͍ͷͰɺӡ༻ίετ͚ͬ͜͏ େ͖͍ • ྫ: webpackͷ੬ऑੑݕࠪͯ͠Έͨ߹ • ҎԼͷྲྀΕͰௐ͍ࠪͯ͠Δ 1.
ৄࡉ(େମHackerOneͷϦϯΫ͕͍͍ͭͯΔ)Λݟͯ੬ऑੑͷ ༰ɺൃੜ݅Λ֬ೝ 2. ϥΠϒϥϦͷ༻్ͱরΒ͠߹ΘͤͯϦεΫ͕͋Δ͔அ ʢϏϧυ༻్ͷϥΠϒϥϦͰ͋ͬͯඞͣ҆શͩͱݴ͑ͳ͍ɻ੬ ऑੑͷ༰࣍ୈʣ
ӡ༻ͯ͠Έͯ • ύονग़ͯͳ͍ͷ͕݁ߏଟ͍ • “It is our recommendation to not
install or use this module at this time.” • ͳ͔ͳ͔͙͢ʹରԠ͍͠ • npmʹΈࠐ·Εͨ͜ͱͰɺͬͱରԠ͞Ε͍ͯ ͘ & ରԠ͞Εͳ͍ύοέʔδࣗવ౫ଡ͞Ε͍ͯ ͘Α͏ʹͳΔ͜ͱΛظ
͝ਗ਼ௌ͋Γ͕ͱ͏͍͟͝·ͨ͠ • ϝϧΧϦͰSET (Software Engineer in Test) ͷϝϯόʔΛਵ࣌ืूதͰ͢