This document discusses ways to secure Node.js applications that use npm modules. It recommends setting up an npm registry mirror as a fallback in case of outages, caching modules locally and publishing privately, and monitoring for vulnerabilities using tools like npm audit, Snyk, and CVE databases. For production, it suggests using N|Solid to monitor applications for security vulnerabilities both at the top level and within nested dependencies. The overall message is that while npm is widely used, organizations should take steps to cover their applications and ensure the security of the dependencies and modules they use.

1. O C T O B E R 2 3 , 2 0 1 8
Cover Your Apps
While Still Using npm
Tierney Cyren

2. © 2018 NodeSource2 @bitandbang
$ whoami

3. © 2018 NodeSource3
DEVELOPER ADVO CATE

4. © 2018 NodeSource4

5. © 2018 NodeSource5
@bitandbang

6. © 2018 NodeSource
npm: the numbers
6

7. © 2018 NodeSource7
26,500,000,000 downloads last month
@bitandbang
815,000 packages
6,500,000,000 downloads last week

8. © 2018 NodeSource8 @bitandbang

9. © 2018 NodeSource9

10. © 2018 NodeSource10
We have a large and diverse ecosystem
• There’s probably already a module to do what you want
• You can build out prototypes extremely quickly, and iterate from there
• There’s a diverse set tools to solve your problems
• There’s a large pool of talent – both junior and senior
• You only need to know JavaScript to do anything you want to
@bitandbang

11. © 2018 NodeSource11
credit: webcomicname.com / @dorrismccomics / npmjs.com / @npmjs
@bitandbang

12. © 2018 NodeSource12
We have a large and diverse ecosystem
• There’s probably multiple modules to do what you want
• How do you choose?
• How can you know you trust all the modules you’re using?
• Do you even know all the modules you’re using?
• What tools can you use to ensure you’re shipping secure code?
• What do you do when there’s an outage?
@bitandbang

13. © 2018 NodeSource
Software Repositories are
Key Internet Infrastructure
13

14. © 2018 NodeSource14
How many of you trust GitHub?
🖐

15. © 2018 NodeSource15

16. © 2018 NodeSource16
How many of you trust npm?
🖐

17. © 2018 NodeSource17 @bitandbang

18. © 2018 NodeSource18
Should you trust software
repositories like npm to be perfect?

19. © 2018 NodeSource19
🙅
@bitandbang

20. © 2018 NodeSource20

21. © 2018 NodeSource21
really good at making software
configurable & extensible
:
@bitandbang

22. © 2018 NodeSource22
What can you to to
cover your apps?
@bitandbang

23. © 2018 NodeSource23
Set up a Registry
Mirror as a Fallback
npmjs.cf / cnpmjs.org / roll your own
@bitandbang

24. © 2018 NodeSource24
npm registry mirror on CloudFlare,
maintained by a CloudFlare employee.
npmjs.cf
Set up a Registry Mirror as a Fallback

25. © 2018 NodeSource25
Chinese mirror of the npm registry,
originally used by JavaScript
developers in China as a solution for
ensuring there aren’t issues between
the Great Firewall and npmjs.com.
cnpmjs.org
Set up a Registry Mirror as a Fallback

26. © 2018 NodeSource26
You can prop up your own mirror to ensure
you’ve got maximum uptime.
If you roll your own, why not make it public
and … the 💚?
Roll Your Own
Set up a Registry Mirror as a Fallback
nsrc.io/replicate-guide

27. © 2018 NodeSource27
Cache Locally &
Publish Privately
Enterprises: npm Enterprise / jFrog Artifactory
Developers/DIY: Verdaccio / Git / local-npm
@bitandbang

28. © 2018 NodeSource28
npm’s own single tenant,
enterprise-grade private registry
on GKE.
npm Enterprise
Cache Locally & Publish Privately

29. © 2018 NodeSource29
jFrog’s solution to a private registry. If you
already have Artifactory, this is a quick
and easy win.
jFrog Artifactory
Cache Locally & Publish Privately

30. © 2018 NodeSource30
Entirely open-source solution to
private publishing. Fantastic, zero-
cost* solution.
Verdaccio
Cache Locally & Publish Privately
* If you want to support the continued development of
Verdaccio, they have an OpenCollective: opencollective.com/
verdaccio

31. © 2018 NodeSource31
Monitor for Vulnerabilities
npm audit / Snyk / CVEs / Node.js Security WG
@bitandbang

32. © 2018 NodeSource32
Formerly Node Security Platform from Lift^
Security, npm audit is built directly into the npm
CLI.
npm audit
Monitor for Vulnerabilities

33. © 2018 NodeSource33
Largest database of all kinds of Node.js and
JavaScript vulnerabilities in npm, all available in
machine-consumable methods to paid users.
Snyk
Monitor for Vulnerabilities

34. © 2018 NodeSource34
CVEs technically hold all known Node.js and
npm vulnerabilities. Zero easy-win automation.
CVEs
Monitor for Vulnerabilities

35. © 2018 NodeSource35
The Node.js Security WG has the second
largest vulnerability data set. The data
includes ecosystem and Node.js core
vulnerabilities.
Node.js Security WG
Monitor for Vulnerabilities

36. © 2018 NodeSource36
All of these are development-time
and CI/CD tools.
@bitandbang

37. © 2018 NodeSource37
Covering Your Apps in Production
What are the options?
@bitandbang

38. © 2018 NodeSource38
There aren’t a lot!
@bitandbang
😔

39. © 2018 NodeSource39
Monitor your Node.js applications for
top level and deeply nested security
vulnerabilities, live in production.
N|Solid
Covering Your Apps in Production

40. © 2018 NodeSource40
Monitor for Vulnerabilities
@bitandbang
Set up a Registry Mirror as a Fallback
Cache Locally & Publish Privately
Cover Your Apps While Still Using npm?
What can you do to
Development Time:
Production:
N|Solid

41. Thank you.
Tierney Cyren
tierney@nodesource.com
@bitandbang