Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Node Security Platform, nsp, npm audit @roppong...

urahiroshi
May 29, 2018
Programming
1
900

Node Security Platform, nsp, npm audit @roppongi.js#3

Roppongi.js#3 の資料です

urahiroshi

May 29, 2018
Tweet

More Decks by urahiroshi

See All by urahiroshi
プロダクトのスケールによって顕在化しうるリスクをどう管理するか?
urahiroshi
8
5.2k
Mercari_Frontend_CircleCI.pdf
urahiroshi
2
2.6k
SET活動のすすめ.pdf
urahiroshi
1
1.5k

Other Decks in Programming

See All in Programming
楽しく向き合う例外対応
okutsu
0
140
Formの複雑さに立ち向かう
bmthd
1
850
富山発の個人開発サービスで日本中の学校の業務を改善した話
krpk1900
4
390
なぜイベント駆動が必要なのか - CQRS/ESで解く複雑系システムの課題 -
j5ik2o
11
4k
CSS Linter による Baseline サポートの仕組み
ryo_manba
1
110
2024年のkintone API振り返りと2025年 / kintone API look back in 2024
tasshi
0
220
Multi Step Form, Decentralized Autonomous Organization
pumpkiinbell
1
750
CI改善もDatadogとともに
taumu
0
120
『テスト書いた方が開発が早いじゃん』を解き明かす #phpcon_nagoya
o0h
PRO
2
280
法律の脱レガシーに学ぶフロントエンド刷新
oguemon
5
740
color-scheme: light dark; を完全に理解する
uhyo
5
390
Amazon Q Developer Proで効率化するAPI開発入門
seike460
PRO
0
110

Featured

See All Featured
GraphQLとの向き合い方2022年版
quramy
44
13k
Intergalactic Javascript Robots from Outer Space
tanoku
270
27k
Git: the NoSQL Database
bkeepers
PRO
427
64k
Rebuilding a faster, lazier Slack
samanthasiow
80
8.8k
The Straight Up "How To Draw Better" Workshop
denniskardys
232
140k
The Success of Rails: Ensuring Growth for the Next 100 Years
eileencodes
44
7k
A Modern Web Designer's Workflow
chriscoyier
693
190k
RailsConf 2023
tenderlove
29
1k
Learning to Love Humans: Emotional Interface Design
aarron
273
40k
JavaScript: Past, Present, and Future - NDC Porto 2020
reverentgeek
47
5.2k
[RailsConf 2023] Rails as a piece of cake
palkan
53
5.2k
Thoughts on Productivity
jonyablonski
69
4.5k

Transcript

  1. Node Security Platform, nsp, npm audit גࣜձࣾϝϧΧϦ SET(Software Engineer in

    Test) @urahiroshi (Hiroshi Urayama)

  2. Node Security Platform • https://nodesecurity.io • npmύοέʔδͷ੬ऑੑ৘ใΛใࠂɺऔಘͰ͖Δϓ ϥοτϑΥʔϜ • ੬ऑੑΛใࠂ͢Δ


    => ύοέʔδͷϝϯςφʹ௨஌
 => मਖ਼ or 45೔ܦաͰެ։͞ΕΔ
 (https://nodesecurity.io/report)
  3. None

  4. nsp • https://github.com/nodesecurity/nsp • Node Security Platformͷ੬ऑੑ৘ใΛجʹɺΠϯετʔϧ͍ͯ͠ Δnpmύοέʔδͷ੬ऑੑΛݕ஌͢Δ͜ͱ͕Ͱ͖Δύοέʔδ • Node

    Security PlatformΛӡӦ͢Δ
 ^Lift Security ͕npm, Incʹങऩ͞ΕɺnpmίϚϯυʹύοέʔδ ͷ੬ऑੑݕ஌(npm audit)͕૊Έࠐ·ΕͨͷͰɺࠓޙੵۃతʹ࢖͏ ཧ༝͸ͳ͍ • GitHubϦϙδτϦ΋ΞʔΧΠϒԽ͞Ε͍ͯΔ

  5. `nsp check`

  6. npm audit • [email protected], [email protected]͔Β࢖͑ΔΑ͏ʹͳͬͨ • npm installͨ͠ࡍʹ΋ࣗಈతʹ࣮ߦ͞ΕɺαϚϦ͕දࣔ͞ΕΔʢҎԼʣ
 
 •

    [email protected]͔Βjsonग़ྗ(`npm audit —json`)΍੬ऑੑͷ͋Δύοέʔδͷࣗ ಈߋ৽(`npm audit fix`)ػೳ͕௥Ճ͞ΕɺΑΓ࢖͑ΔΑ͏ʹͳͬͨ • nspͷڍಈͱޓ׵ੑ͸ͳ͍ • Ұ෦ͷύοέʔδؚ͕·Ε͍ͯΔͱΤϥʔʹͳΔ৔߹͕͋Δ (nspͳΒେ ৎ෉ͳͷʹ…)
 https://github.com/npm/npm/issues/20604

  7. `npm audit`

  8. yarnͷ৔߹ • nsp΋npm audit΋yarn.lockʹ͸ඇରԠ
 - nsp: package.json͚ͩͰ੬ऑੑ৘ใදࣔ
 - npm audit:

    ΤϥʔʹͳΔ

  9. yarnͷ৔߹ 1. (nspͷ৔߹ͷΈ) [nsp-preprocessor-yarn](https://github.com/ hermanbanken/nsp-preprocessor-yarn) Λ࢖͏ • ੵۃతʹ࢖͏ཧ༝͸ͳ͍ 2. [synp](https://github.com/imsnif/synp)Ͱyarn.lockΛpackage-

    lock.json ʹม׵͢Δ 3. `yarn install` ͨ͠ޙʹ `npm shrinkwrap` ͢Δ 4. ͍ۙ͏ͪʹ `yarn audit` ͕Ͱ͖ͦ͏ʁ
 https://github.com/yarnpkg/yarn/issues/5808

  10. CIͰ࢖͏ • CircleCIͷScheduling JobΛ࢖ͬͯఆظతʹ࣮ߦ • िҰճ: ΞυόΠβϦҰཡΛSlackʹ௨஌ • ৄࡉ͸CircleCIͷ࣮ߦϩά͔ΒݟΔ(ҎԼྫ)
 


    
 
 • ຖ೔: ΞυόΠβϦҰཡʹมԽ͕͋Ε͹Slack௨஌ (લճͷ࣮ߦ ݁ՌΛCircleCIͷΩϟογϡʹอଘͯ͠ൺֱʹ࢖͏)

  11. ӡ༻ͯ͠Έͯ • ݕग़͞ΕΔ੬ऑੑͷ਺΋ߋ৽ස౓΋ଟ͍ͷͰɺӡ༻ίετ͸͚ͬ͜͏ େ͖͍ • ྫ: webpackͷ੬ऑੑݕࠪͯ͠Έͨ৔߹
 • ҎԼͷྲྀΕͰௐ͍ࠪͯ͠Δ
 1.

    ৄࡉ(େମHackerOneͷϦϯΫ͕͍͍ͭͯΔ)Λݟͯ੬ऑੑͷ಺ ༰ɺൃੜ৚݅Λ֬ೝ
 2. ϥΠϒϥϦͷ༻్ͱরΒ͠߹ΘͤͯϦεΫ͕͋Δ͔൑அ
 ʢϏϧυ༻్ͷϥΠϒϥϦͰ͋ͬͯ΋ඞͣ҆શͩͱ͸ݴ͑ͳ͍ɻ੬ ऑੑͷ಺༰࣍ୈʣ

  12. ӡ༻ͯ͠Έͯ • ύονग़ͯͳ͍ͷ͕݁ߏଟ͍ • “It is our recommendation to not

    install or use this module at this time.” • ͳ͔ͳ͔͙͢ʹରԠ͠೉͍ • npmʹ૊Έࠐ·Εͨ͜ͱͰɺ΋ͬͱରԠ͞Ε͍ͯ ͘ & ରԠ͞Εͳ͍ύοέʔδ͸ࣗવ౫ଡ͞Ε͍ͯ ͘Α͏ʹͳΔ͜ͱΛظ଴

  13. ͝ਗ਼ௌ͋Γ͕ͱ͏͍͟͝·ͨ͠ • ϝϧΧϦͰ͸SET (Software Engineer in Test) ͷϝϯόʔΛਵ࣌ืूதͰ͢