Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Node Security Platform, nsp, npm audit @roppong...

urahiroshi
May 29, 2018
Programming
1
880

Node Security Platform, nsp, npm audit @roppongi.js#3

Roppongi.js#3 の資料です

urahiroshi

May 29, 2018
Tweet

More Decks by urahiroshi

See All by urahiroshi
プロダクトのスケールによって顕在化しうるリスクをどう管理するか?
urahiroshi
8
4.7k
Mercari_Frontend_CircleCI.pdf
urahiroshi
2
2.6k
SET活動のすすめ.pdf
urahiroshi
1
1.5k

Other Decks in Programming

See All in Programming
Streams APIとTCPフロー制御 / Web Streams API and TCP flow control
tasshi
2
350
as(型アサーション)を書く前にできること
marokanatani
10
2.7k
.NET のための通信フレームワーク MagicOnion 入門 / Introduction to MagicOnion
mayuki
1
1.6k
3 Effective Rules for Using Signals in Angular
manfredsteyer
PRO
1
100
弊社の「意識チョット低いアーキテクチャ」10選
texmeijin
5
24k
3 Effective Rules for Using Signals in Angular
manfredsteyer
PRO
0
110
CSC509 Lecture 09
javiergs
PRO
0
140
Nurturing OpenJDK distribution: Eclipse Temurin Success History and plan
ivargrimstad
0
920
Less waste, more joy, and a lot more green: How Quarkus makes Java better
hollycummins
0
100
Outline View in SwiftUI
1024jp
1
330
Arm移行タイムアタック
qnighy
0
330
Amazon Bedrock Agentsを用いてアプリ開発してみた!
har1101
0
340

Featured

See All Featured
Understanding Cognitive Biases in Performance Measurement
bluesmoon
26
1.4k
Ruby is Unlike a Banana
tanoku
97
11k
ピンチをチャンスに:未来をつくるプロダクトロードマップ #pmconf2020
aki_iinuma
109
49k
Teambox: Starting and Learning
jrom
133
8.8k
Visualization
eitanlees
145
15k
Designing Dashboards & Data Visualisations in Web Apps
destraynor
229
52k
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
sstephenson
159
15k
Building a Modern Day 
E-commerce SEO Strategy
aleyda
38
6.9k
Building Applications with DynamoDB
mza
90
6.1k
Building an army of robots
kneath
302
43k
Navigating Team Friction
lara
183
14k
The Web Performance Landscape in 2024 [PerfNow 2024]
tammyeverts
0
96

Transcript

  1. Node Security Platform, nsp, npm audit גࣜձࣾϝϧΧϦ SET(Software Engineer in

    Test) @urahiroshi (Hiroshi Urayama)

  2. Node Security Platform • https://nodesecurity.io • npmύοέʔδͷ੬ऑੑ৘ใΛใࠂɺऔಘͰ͖Δϓ ϥοτϑΥʔϜ • ੬ऑੑΛใࠂ͢Δ


    => ύοέʔδͷϝϯςφʹ௨஌
 => मਖ਼ or 45೔ܦաͰެ։͞ΕΔ
 (https://nodesecurity.io/report)
  3. None

  4. nsp • https://github.com/nodesecurity/nsp • Node Security Platformͷ੬ऑੑ৘ใΛجʹɺΠϯετʔϧ͍ͯ͠ Δnpmύοέʔδͷ੬ऑੑΛݕ஌͢Δ͜ͱ͕Ͱ͖Δύοέʔδ • Node

    Security PlatformΛӡӦ͢Δ
 ^Lift Security ͕npm, Incʹങऩ͞ΕɺnpmίϚϯυʹύοέʔδ ͷ੬ऑੑݕ஌(npm audit)͕૊Έࠐ·ΕͨͷͰɺࠓޙੵۃతʹ࢖͏ ཧ༝͸ͳ͍ • GitHubϦϙδτϦ΋ΞʔΧΠϒԽ͞Ε͍ͯΔ

  5. `nsp check`

  6. npm audit • [email protected], [email protected]͔Β࢖͑ΔΑ͏ʹͳͬͨ • npm installͨ͠ࡍʹ΋ࣗಈతʹ࣮ߦ͞ΕɺαϚϦ͕දࣔ͞ΕΔʢҎԼʣ
 
 •

    [email protected]͔Βjsonग़ྗ(`npm audit —json`)΍੬ऑੑͷ͋Δύοέʔδͷࣗ ಈߋ৽(`npm audit fix`)ػೳ͕௥Ճ͞ΕɺΑΓ࢖͑ΔΑ͏ʹͳͬͨ • nspͷڍಈͱޓ׵ੑ͸ͳ͍ • Ұ෦ͷύοέʔδؚ͕·Ε͍ͯΔͱΤϥʔʹͳΔ৔߹͕͋Δ (nspͳΒେ ৎ෉ͳͷʹ…)
 https://github.com/npm/npm/issues/20604

  7. `npm audit`

  8. yarnͷ৔߹ • nsp΋npm audit΋yarn.lockʹ͸ඇରԠ
 - nsp: package.json͚ͩͰ੬ऑੑ৘ใදࣔ
 - npm audit:

    ΤϥʔʹͳΔ

  9. yarnͷ৔߹ 1. (nspͷ৔߹ͷΈ) [nsp-preprocessor-yarn](https://github.com/ hermanbanken/nsp-preprocessor-yarn) Λ࢖͏ • ੵۃతʹ࢖͏ཧ༝͸ͳ͍ 2. [synp](https://github.com/imsnif/synp)Ͱyarn.lockΛpackage-

    lock.json ʹม׵͢Δ 3. `yarn install` ͨ͠ޙʹ `npm shrinkwrap` ͢Δ 4. ͍ۙ͏ͪʹ `yarn audit` ͕Ͱ͖ͦ͏ʁ
 https://github.com/yarnpkg/yarn/issues/5808

  10. CIͰ࢖͏ • CircleCIͷScheduling JobΛ࢖ͬͯఆظతʹ࣮ߦ • िҰճ: ΞυόΠβϦҰཡΛSlackʹ௨஌ • ৄࡉ͸CircleCIͷ࣮ߦϩά͔ΒݟΔ(ҎԼྫ)
 


    
 
 • ຖ೔: ΞυόΠβϦҰཡʹมԽ͕͋Ε͹Slack௨஌ (લճͷ࣮ߦ ݁ՌΛCircleCIͷΩϟογϡʹอଘͯ͠ൺֱʹ࢖͏)

  11. ӡ༻ͯ͠Έͯ • ݕग़͞ΕΔ੬ऑੑͷ਺΋ߋ৽ස౓΋ଟ͍ͷͰɺӡ༻ίετ͸͚ͬ͜͏ େ͖͍ • ྫ: webpackͷ੬ऑੑݕࠪͯ͠Έͨ৔߹
 • ҎԼͷྲྀΕͰௐ͍ࠪͯ͠Δ
 1.

    ৄࡉ(େମHackerOneͷϦϯΫ͕͍͍ͭͯΔ)Λݟͯ੬ऑੑͷ಺ ༰ɺൃੜ৚݅Λ֬ೝ
 2. ϥΠϒϥϦͷ༻్ͱরΒ͠߹ΘͤͯϦεΫ͕͋Δ͔൑அ
 ʢϏϧυ༻్ͷϥΠϒϥϦͰ͋ͬͯ΋ඞͣ҆શͩͱ͸ݴ͑ͳ͍ɻ੬ ऑੑͷ಺༰࣍ୈʣ

  12. ӡ༻ͯ͠Έͯ • ύονग़ͯͳ͍ͷ͕݁ߏଟ͍ • “It is our recommendation to not

    install or use this module at this time.” • ͳ͔ͳ͔͙͢ʹରԠ͠೉͍ • npmʹ૊Έࠐ·Εͨ͜ͱͰɺ΋ͬͱରԠ͞Ε͍ͯ ͘ & ରԠ͞Εͳ͍ύοέʔδ͸ࣗવ౫ଡ͞Ε͍ͯ ͘Α͏ʹͳΔ͜ͱΛظ଴

  13. ͝ਗ਼ௌ͋Γ͕ͱ͏͍͟͝·ͨ͠ • ϝϧΧϦͰ͸SET (Software Engineer in Test) ͷϝϯόʔΛਵ࣌ืूதͰ͢