2

React, and it's application creation script, create-react-app, are popular packages nowadays... and with good reason: React is a rock-star framework.

From a security perspective, sanitizing all the packages that create-react-app installs seems to be a massive undertaking.

I just did a quick count of installed packages, by entering npm ls into the command line of my installation home, and counted 2226 packages! :O Furthermore, that was just local packages, and does not include global.

How is this massive package tree properly sanitized?

I suppose there is a greater question here, of how to scan npm-installed packages, and their dependencies.

Does it make sense to run each and every one of these packages through a scanner?

Anders
  • 64,406
  • 24
  • 178
  • 215
kmiklas
  • 129
  • 3

1 Answers1

1

You can use https://snyk.io/ scanner.

The dependencies of applications like react are really complex. There are same packages in multiple versions used. Also, such projects when they evolve they add more npm modules which makes it even more complex. When adding custom modules, it's good to make sure that they are in the most recent version, they are used by others, they have been recently updated etc.

Aria
  • 2,706
  • 11
  • 19