How to prioritize npm dev vulnerabilities?

Question

Running SNYK scanning on my code base I find a number of HIGH vulnerabilities when I include the npm dev dependencies (e.g. running SNYK -dev test --file=package.json).

Examples of vulnerabilities:

• https://app.snyk.io/vuln/SNYK-JS-SERIALIZEJAVASCRIPT-536840
• https://app.snyk.io/vuln/SNYK-JS-NODESASS-540974

What are your take on fixing such issues in dev dependencies? Should they be fixed or simply ignored? And why - what are the good arguments?

How can I ensure that no traces (i.e. vulnerabilities) of the dev-marked code is found in the production code? Can I?

And what about insider threats?

Answer 1

How can I ensure that no traces (i.e. vulnerabilities) of the dev-marked code is found in the production code? Can I?

While deploying your code in production environment, you should install production only dependencies. This can be done as:

npm install --only=prod

It always best practice to use latest version of dev or production dependencies. There are several reasons for that:

• If you are starting a new project you just want to make sure that you don't accumulate technical debt before even releasing your product.
• Releasing an application with known vulnerabilities increases risk of compromising your application. An attacker could exploit a known bug in a dependency to further gain access to your application.
• Also from compliance and regulatory perspective, you are obliged to provide a secure app to your customers. Having known vulnerabilities in your application means you have failed that obligation.
• Well dev dependencies shouldn't be shipped with production code anyways, but it's always best practice to use secure versions in dev environment as well just in case to cover the case where someone accidentally pushes dev dependency in production.