Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Node Security Platform, nsp, npm audit @roppong...

urahiroshi
May 29, 2018
Programming
1
930

Node Security Platform, nsp, npm audit @roppongi.js#3

Roppongi.js#3 の資料です

urahiroshi

May 29, 2018
Tweet

More Decks by urahiroshi

See All by urahiroshi
組織拡大でカルチャー崩壊を防ぐためにできること
urahiroshi
0
280
プロダクトのスケールによって顕在化しうるリスクをどう管理するか?
urahiroshi
8
5.5k
Mercari_Frontend_CircleCI.pdf
urahiroshi
2
2.6k
SET活動のすすめ.pdf
urahiroshi
1
1.5k

Other Decks in Programming

See All in Programming
Building a macOS screen saver with Kotlin (Android Makers 2025)
zsmb
1
150
プロフェッショナルとしての成長「問題の深掘り」が導く真のスキルアップ / issue-analysis-and-skill-up
minodriven
6
720
小田原でみんなで一句詠みたいな #phpcon_odawara
stefafafan
0
340
Amazon CloudWatchの地味だけど強力な機能紹介!
itotsum
0
160
Sharing features among Android applications: experience feedback
jbvincey
0
110
海外のアプリで見かけたかっこいいTransitionを真似てみる
shogotakasaki
1
170
Qiita Bash
mercury_dev0517
2
200
Do Dumb Things
mitsuhiko
0
440
Empowering Developers with HTML-Aware ERB Tooling @ RubyKaigi 2025, Matsuyama, Ehime
marcoroth
2
640
国漢文混用体からHolloまで
minhee
1
190
SEAL - Dive into the sea of search engines - Symfony Live Berlin 2025
alexanderschranz
1
140
gen_statem - OTP's Unsung Hero
whatyouhide
1
200

Featured

See All Featured
We Have a Design System, Now What?
morganepeng
52
7.5k
Side Projects
sachag
452
42k
Building a Scalable Design System with Sketch
lauravandoore
462
33k
Rebuilding a faster, lazier Slack
samanthasiow
80
8.9k
Stop Working from a Prison Cell
hatefulcrawdad
268
20k
Improving Core Web Vitals using Speculation Rules API
sergeychernyshev
13
670
Fontdeck: Realign not Redesign
paulrobertlloyd
83
5.5k
Templates, Plugins, & Blocks: Oh My! Creating the theme that thinks of everything
marktimemedia
30
2.3k
Producing Creativity
orderedlist
PRO
344
40k
Let's Do A Bunch of Simple Stuff to Make Websites Faster
chriscoyier
507
140k
How To Stay Up To Date on Web Technology
chriscoyier
790
250k
Speed Design
sergeychernyshev
29
900

Transcript

  1. Node Security Platform, nsp, npm audit גࣜձࣾϝϧΧϦ SET(Software Engineer in

    Test) @urahiroshi (Hiroshi Urayama)

  2. Node Security Platform • https://nodesecurity.io • npmύοέʔδͷ੬ऑੑ৘ใΛใࠂɺऔಘͰ͖Δϓ ϥοτϑΥʔϜ • ੬ऑੑΛใࠂ͢Δ


    => ύοέʔδͷϝϯςφʹ௨஌
 => मਖ਼ or 45೔ܦաͰެ։͞ΕΔ
 (https://nodesecurity.io/report)
  3. None

  4. nsp • https://github.com/nodesecurity/nsp • Node Security Platformͷ੬ऑੑ৘ใΛجʹɺΠϯετʔϧ͍ͯ͠ Δnpmύοέʔδͷ੬ऑੑΛݕ஌͢Δ͜ͱ͕Ͱ͖Δύοέʔδ • Node

    Security PlatformΛӡӦ͢Δ
 ^Lift Security ͕npm, Incʹങऩ͞ΕɺnpmίϚϯυʹύοέʔδ ͷ੬ऑੑݕ஌(npm audit)͕૊Έࠐ·ΕͨͷͰɺࠓޙੵۃతʹ࢖͏ ཧ༝͸ͳ͍ • GitHubϦϙδτϦ΋ΞʔΧΠϒԽ͞Ε͍ͯΔ

  5. `nsp check`

  6. npm audit • [email protected], [email protected]͔Β࢖͑ΔΑ͏ʹͳͬͨ • npm installͨ͠ࡍʹ΋ࣗಈతʹ࣮ߦ͞ΕɺαϚϦ͕දࣔ͞ΕΔʢҎԼʣ
 
 •

    [email protected]͔Βjsonग़ྗ(`npm audit —json`)΍੬ऑੑͷ͋Δύοέʔδͷࣗ ಈߋ৽(`npm audit fix`)ػೳ͕௥Ճ͞ΕɺΑΓ࢖͑ΔΑ͏ʹͳͬͨ • nspͷڍಈͱޓ׵ੑ͸ͳ͍ • Ұ෦ͷύοέʔδؚ͕·Ε͍ͯΔͱΤϥʔʹͳΔ৔߹͕͋Δ (nspͳΒେ ৎ෉ͳͷʹ…)
 https://github.com/npm/npm/issues/20604

  7. `npm audit`

  8. yarnͷ৔߹ • nsp΋npm audit΋yarn.lockʹ͸ඇରԠ
 - nsp: package.json͚ͩͰ੬ऑੑ৘ใදࣔ
 - npm audit:

    ΤϥʔʹͳΔ

  9. yarnͷ৔߹ 1. (nspͷ৔߹ͷΈ) [nsp-preprocessor-yarn](https://github.com/ hermanbanken/nsp-preprocessor-yarn) Λ࢖͏ • ੵۃతʹ࢖͏ཧ༝͸ͳ͍ 2. [synp](https://github.com/imsnif/synp)Ͱyarn.lockΛpackage-

    lock.json ʹม׵͢Δ 3. `yarn install` ͨ͠ޙʹ `npm shrinkwrap` ͢Δ 4. ͍ۙ͏ͪʹ `yarn audit` ͕Ͱ͖ͦ͏ʁ
 https://github.com/yarnpkg/yarn/issues/5808

  10. CIͰ࢖͏ • CircleCIͷScheduling JobΛ࢖ͬͯఆظతʹ࣮ߦ • िҰճ: ΞυόΠβϦҰཡΛSlackʹ௨஌ • ৄࡉ͸CircleCIͷ࣮ߦϩά͔ΒݟΔ(ҎԼྫ)
 


    
 
 • ຖ೔: ΞυόΠβϦҰཡʹมԽ͕͋Ε͹Slack௨஌ (લճͷ࣮ߦ ݁ՌΛCircleCIͷΩϟογϡʹอଘͯ͠ൺֱʹ࢖͏)

  11. ӡ༻ͯ͠Έͯ • ݕग़͞ΕΔ੬ऑੑͷ਺΋ߋ৽ස౓΋ଟ͍ͷͰɺӡ༻ίετ͸͚ͬ͜͏ େ͖͍ • ྫ: webpackͷ੬ऑੑݕࠪͯ͠Έͨ৔߹
 • ҎԼͷྲྀΕͰௐ͍ࠪͯ͠Δ
 1.

    ৄࡉ(େମHackerOneͷϦϯΫ͕͍͍ͭͯΔ)Λݟͯ੬ऑੑͷ಺ ༰ɺൃੜ৚݅Λ֬ೝ
 2. ϥΠϒϥϦͷ༻్ͱরΒ͠߹ΘͤͯϦεΫ͕͋Δ͔൑அ
 ʢϏϧυ༻్ͷϥΠϒϥϦͰ͋ͬͯ΋ඞͣ҆શͩͱ͸ݴ͑ͳ͍ɻ੬ ऑੑͷ಺༰࣍ୈʣ

  12. ӡ༻ͯ͠Έͯ • ύονग़ͯͳ͍ͷ͕݁ߏଟ͍ • “It is our recommendation to not

    install or use this module at this time.” • ͳ͔ͳ͔͙͢ʹରԠ͠೉͍ • npmʹ૊Έࠐ·Εͨ͜ͱͰɺ΋ͬͱରԠ͞Ε͍ͯ ͘ & ରԠ͞Εͳ͍ύοέʔδ͸ࣗવ౫ଡ͞Ε͍ͯ ͘Α͏ʹͳΔ͜ͱΛظ଴

  13. ͝ਗ਼ௌ͋Γ͕ͱ͏͍͟͝·ͨ͠ • ϝϧΧϦͰ͸SET (Software Engineer in Test) ͷϝϯόʔΛਵ࣌ืूதͰ͢