Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Node Security Platform, nsp, npm audit @roppong...
Search
Sponsored
·
SiteGround - Reliable hosting with speed, security, and support you can count on.
→
urahiroshi
May 29, 2018
Programming
1k
1
Share
Node Security Platform, nsp, npm audit @roppongi.js#3
Roppongi.js#3 の資料です
urahiroshi
May 29, 2018
More Decks by urahiroshi
See All by urahiroshi
組織拡大でカルチャー崩壊を防ぐためにできること
urahiroshi
0
570
プロダクトのスケールによって顕在化しうるリスクをどう管理するか?
urahiroshi
9
6.8k
Mercari_Frontend_CircleCI.pdf
urahiroshi
2
2.7k
SET活動のすすめ.pdf
urahiroshi
1
1.6k
Other Decks in Programming
See All in Programming
RTSPクライアントを自作してみた話
simotin13
0
490
今さら聞けないCancellationToken
htkym
0
220
AI駆動開発勉強会 広島支部 第一回勉強会 AI駆動開発概要とワークショップ
hayatoshimiu
0
440
Webフレームワークの ベンチマークについて
yusukebe
0
130
Java × distroless で 軽量なコンテナイメージを / Java on Distroless
contour_gara
0
500
AI駆動開発で崩れていくコードベースを立て直す
kyoko_nr_nr
1
440
プラグインで拡張される Context をtype-safe にする難しさと設計判断
kazupon
2
590
CLIであることを活かしたGitHub Copilot CLI活用術 / GitHub Copilot CLI Pro Tips & Tricks
nao_mk2
1
1.2k
Spec Driven Development | AI Summit Lisbon
danielsogl
PRO
0
150
タクシーアプリ『GO』の バックエンド開発のおける AI利活用と若者のすべて
pyama86
3
1.9k
The NotImplementedError Problem in Ruby
koic
1
590
軽量Java基盤の設計 DIコンテナに頼らない、長期保守と1秒起動の実現 JJUG CCC 2026 Spring
macha64
0
450
Featured
See All Featured
Groundhog Day: Seeking Process in Gaming for Health
codingconduct
0
200
Digital Projects Gone Horribly Wrong (And the UX Pros Who Still Save the Day) - Dean Schuster
uxyall
0
1.6k
The Myth of the Modular Monolith - Day 2 Keynote - Rails World 2024
eileencodes
28
3.5k
The Spectacular Lies of Maps
axbom
PRO
1
790
Accessibility Awareness
sabderemane
1
130
4 Signs Your Business is Dying
shpigford
187
22k
Keith and Marios Guide to Fast Websites
keithpitt
413
23k
Large-scale JavaScript Application Architecture
addyosmani
515
110k
ラッコキーワード サービス紹介資料
rakko
1
3.5M
Leading Effective Engineering Teams in the AI Era
addyosmani
9
2k
So, you think you're a good person
axbom
PRO
2
2k
Exploring the relationship between traditional SERPs and Gen AI search
raygrieselhuber
PRO
2
4k
Transcript
Node Security Platform, nsp, npm audit גࣜձࣾϝϧΧϦ SET(Software Engineer in
Test) @urahiroshi (Hiroshi Urayama)
Node Security Platform • https://nodesecurity.io • npmύοέʔδͷ੬ऑੑใΛใࠂɺऔಘͰ͖Δϓ ϥοτϑΥʔϜ • ੬ऑੑΛใࠂ͢Δ
=> ύοέʔδͷϝϯςφʹ௨ => मਖ਼ or 45ܦաͰެ։͞ΕΔ (https://nodesecurity.io/report)
None
nsp • https://github.com/nodesecurity/nsp • Node Security Platformͷ੬ऑੑใΛجʹɺΠϯετʔϧ͍ͯ͠ Δnpmύοέʔδͷ੬ऑੑΛݕ͢Δ͜ͱ͕Ͱ͖Δύοέʔδ • Node
Security PlatformΛӡӦ͢Δ ^Lift Security ͕npm, Incʹങऩ͞ΕɺnpmίϚϯυʹύοέʔδ ͷ੬ऑੑݕ(npm audit)͕Έࠐ·ΕͨͷͰɺࠓޙੵۃతʹ͏ ཧ༝ͳ͍ • GitHubϦϙδτϦΞʔΧΠϒԽ͞Ε͍ͯΔ
`nsp check`
npm audit •
[email protected]
,
[email protected]
͔Β͑ΔΑ͏ʹͳͬͨ • npm installͨ͠ࡍʹࣗಈతʹ࣮ߦ͞ΕɺαϚϦ͕දࣔ͞ΕΔʢҎԼʣ •
[email protected]
͔Βjsonग़ྗ(`npm audit —json`)੬ऑੑͷ͋Δύοέʔδͷࣗ ಈߋ৽(`npm audit fix`)ػೳ͕Ճ͞ΕɺΑΓ͑ΔΑ͏ʹͳͬͨ • nspͷڍಈͱޓੑͳ͍ • Ұ෦ͷύοέʔδؚ͕·Ε͍ͯΔͱΤϥʔʹͳΔ߹͕͋Δ (nspͳΒେ ৎͳͷʹ…) https://github.com/npm/npm/issues/20604
`npm audit`
yarnͷ߹ • nspnpm audityarn.lockʹඇରԠ - nsp: package.json͚ͩͰ੬ऑੑใදࣔ - npm audit:
ΤϥʔʹͳΔ
yarnͷ߹ 1. (nspͷ߹ͷΈ) [nsp-preprocessor-yarn](https://github.com/ hermanbanken/nsp-preprocessor-yarn) Λ͏ • ੵۃతʹ͏ཧ༝ͳ͍ 2. [synp](https://github.com/imsnif/synp)Ͱyarn.lockΛpackage-
lock.json ʹม͢Δ 3. `yarn install` ͨ͠ޙʹ `npm shrinkwrap` ͢Δ 4. ͍ۙ͏ͪʹ `yarn audit` ͕Ͱ͖ͦ͏ʁ https://github.com/yarnpkg/yarn/issues/5808
CIͰ͏ • CircleCIͷScheduling JobΛͬͯఆظతʹ࣮ߦ • िҰճ: ΞυόΠβϦҰཡΛSlackʹ௨ • ৄࡉCircleCIͷ࣮ߦϩά͔ΒݟΔ(ҎԼྫ)
• ຖ: ΞυόΠβϦҰཡʹมԽ͕͋ΕSlack௨ (લճͷ࣮ߦ ݁ՌΛCircleCIͷΩϟογϡʹอଘͯ͠ൺֱʹ͏)
ӡ༻ͯ͠Έͯ • ݕग़͞ΕΔ੬ऑੑͷߋ৽සଟ͍ͷͰɺӡ༻ίετ͚ͬ͜͏ େ͖͍ • ྫ: webpackͷ੬ऑੑݕࠪͯ͠Έͨ߹ • ҎԼͷྲྀΕͰௐ͍ࠪͯ͠Δ 1.
ৄࡉ(େମHackerOneͷϦϯΫ͕͍͍ͭͯΔ)Λݟͯ੬ऑੑͷ ༰ɺൃੜ݅Λ֬ೝ 2. ϥΠϒϥϦͷ༻్ͱরΒ͠߹ΘͤͯϦεΫ͕͋Δ͔அ ʢϏϧυ༻్ͷϥΠϒϥϦͰ͋ͬͯඞͣ҆શͩͱݴ͑ͳ͍ɻ੬ ऑੑͷ༰࣍ୈʣ
ӡ༻ͯ͠Έͯ • ύονग़ͯͳ͍ͷ͕݁ߏଟ͍ • “It is our recommendation to not
install or use this module at this time.” • ͳ͔ͳ͔͙͢ʹରԠ͍͠ • npmʹΈࠐ·Εͨ͜ͱͰɺͬͱରԠ͞Ε͍ͯ ͘ & ରԠ͞Εͳ͍ύοέʔδࣗવ౫ଡ͞Ε͍ͯ ͘Α͏ʹͳΔ͜ͱΛظ
͝ਗ਼ௌ͋Γ͕ͱ͏͍͟͝·ͨ͠ • ϝϧΧϦͰSET (Software Engineer in Test) ͷϝϯόʔΛਵ࣌ืूதͰ͢
SiteGround - Reliable hosting with speed, security, and support you can count on.
urahiroshi
simotin13
htkym
hayatoshimiu
yusukebe
contour_gara
kyoko_nr_nr
kazupon
nao_mk2
danielsogl
pyama86
koic
macha64
codingconduct
uxyall
eileencodes
axbom
sabderemane
shpigford
keithpitt
addyosmani
rakko
raygrieselhuber
![npm audit • [email protected], [email protected]͔Β͑ΔΑ͏ʹͳͬͨ • npm installͨ͠ࡍʹࣗಈతʹ࣮ߦ͞ΕɺαϚϦ͕දࣔ͞ΕΔʢҎԼʣ •](https://files.speakerdeck.com/presentations/8fdf6c88394d4756ab2683803de9bfba/slide_5.jpg){kind=link}
 Λ͏ • ੵۃతʹ͏ཧ༝ͳ͍ 2. [synp](https://github.com/imsnif/synp)Ͱyarn.lockΛpackage-](https://files.speakerdeck.com/presentations/8fdf6c88394d4756ab2683803de9bfba/slide_8.jpg){kind=link}
