GitHub Security Alerts?

Have you ever been coding along your merry day, and received an email from GitHub saying that there is a security vulnerability attached in your dependencies and you’re not quite sure what it means? Or you’re on your GitHub and you see this note at the top of your repository and you’re ready to freak out because you don’t know what it means?

Well, this short blog is for you, and I hope to shed some light on the subject. So as a developer, we either come across or create a package.json through Node Js, or package manager. Inside our package.json folder, we find our metadata in plain JSON Object format. We also find our dependencies needed to run our application and our dev dependencies used to help in our development. When we install these packages, they bring along their versions of control with them. Depending on how the packages are installed it may or may not have the version control set up to adapt to new version releases. If your applications set around for a while they become stale and the dependencies we rely on become outdated and can become vulnerable to security issues. In my case, I have a Dependabot alert in my package-lock.json file of serialize-javascript.

If you’ll notice our installed packages include our version control, if you take note, some versions include a ^ as a prefix which makes your app version flexible to updates.

Whereas if there is no ^ your version will stay the same until you manually update it.

If a package sits too long, or someone clones your old code and runs npm install, without staying up to date it can cause security or functional issues in your program. GitHub sends out emails or flags on your profile to notify you of these vulnerabilities as they arise. They may seem terrifying at first, but they’re really looking out for you. The easy fix to these is just to keep your project dependency versions up to date, to prevent the security vulnerabilities. Keep in mind that updating packages can cause other problems in your app. So it’s always best to check out the documentation for the new version of the package to see the changes made, and how they will affect your app. With that being said, it's better to be safe than sorry.

Here are a few examples of updating a Lodash package through NPM:

npm update lodash — save (updates a single package)

npm update — dev — save-dev (updates the dev dependencies)

npm update (updates all dependencies and dev dependencies)

npm update -g (updates all global packages)

npm update -g lodash (update a single global package)

Keeping our packages up to date will keep our applications secure and functional for future users, and keep GitHub off our back. I hope you enjoyed this read, please share, and Thank you.