Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Node Security Platform, nsp, npm audit @roppong...
Search
Sponsored
·
Your Podcast. Everywhere. Effortlessly.
Share. Educate. Inspire. Entertain. You do you. We'll handle the rest.
→
urahiroshi
May 29, 2018
Programming
1k
1
Share
Node Security Platform, nsp, npm audit @roppongi.js#3
Roppongi.js#3 の資料です
urahiroshi
May 29, 2018
More Decks by urahiroshi
See All by urahiroshi
組織拡大でカルチャー崩壊を防ぐためにできること
urahiroshi
0
570
プロダクトのスケールによって顕在化しうるリスクをどう管理するか?
urahiroshi
9
6.8k
Mercari_Frontend_CircleCI.pdf
urahiroshi
2
2.7k
SET活動のすすめ.pdf
urahiroshi
1
1.6k
Other Decks in Programming
See All in Programming
jQueryをバージョンアップする前に使いたいjQuery Migrate
matsuo_atsushi
0
190
「エンジニアインターン、どうやって取った?」準備のリアルを語るLT会 Progate BAR
akiomatic
0
120
ローカルLLMを使ってB2Bサービスを作っていての学び
yaotti
0
140
ADKを使って簡単にAIエージェントを作ってみよう
k1mu21
0
220
CSC307 Lecture 17
javiergs
PRO
0
310
エージェンティックRAGにAWSで入門しよう!
har1101
7
1.1k
oxlintはeslint/typescript-eslintを置き換えられるのか
shomafujita
2
320
TSKaigi Night Talks 2026_TypeScriptでサプライチェーンの整合性を型に閉じ込める
geekplus_tech
0
300
The Arts and Crafts of Work in the AI Era — Toward Mastery in Software Development
kuranuki
1
720
net-httpのHTTP/2対応について
naruse
0
440
気づいたらRubyで100作品 ー クリエイティブコーディングが生活の一部になるまで / 100 Ruby Sketches Later: How Creative Coding Became Part of My Life
chobishiba
3
540
開発体験を左右するライブラリの API 設計 - GraphQL スキーマ構築ライブラリから考える #tskaigi
izumin5210
2
1.6k
Featured
See All Featured
Embracing the Ebb and Flow
colly
88
5.1k
It's Worth the Effort
3n
188
29k
The Cost Of JavaScript in 2023
addyosmani
55
10k
The innovator’s Mindset - Leading Through an Era of Exponential Change - McGill University 2025
jdejongh
PRO
1
190
Lessons Learnt from Crawling 1000+ Websites
charlesmeaden
PRO
1
1.3k
Leading Effective Engineering Teams in the AI Era
addyosmani
9
2k
Fireside Chat
paigeccino
42
3.9k
Sam Torres - BigQuery for SEOs
techseoconnect
PRO
0
280
Avoiding the “Bad Training, Faster” Trap in the Age of AI
tmiket
0
170
A brief & incomplete history of UX Design for the World Wide Web: 1989–2019
jct
2
390
Ecommerce SEO: The Keys for Success Now & Beyond - #SERPConf2024
aleyda
1
2k
Abbi's Birthday
coloredviolet
2
7.9k
Transcript
Node Security Platform, nsp, npm audit גࣜձࣾϝϧΧϦ SET(Software Engineer in
Test) @urahiroshi (Hiroshi Urayama)
Node Security Platform • https://nodesecurity.io • npmύοέʔδͷ੬ऑੑใΛใࠂɺऔಘͰ͖Δϓ ϥοτϑΥʔϜ • ੬ऑੑΛใࠂ͢Δ
=> ύοέʔδͷϝϯςφʹ௨ => मਖ਼ or 45ܦաͰެ։͞ΕΔ (https://nodesecurity.io/report)
None
nsp • https://github.com/nodesecurity/nsp • Node Security Platformͷ੬ऑੑใΛجʹɺΠϯετʔϧ͍ͯ͠ Δnpmύοέʔδͷ੬ऑੑΛݕ͢Δ͜ͱ͕Ͱ͖Δύοέʔδ • Node
Security PlatformΛӡӦ͢Δ ^Lift Security ͕npm, Incʹങऩ͞ΕɺnpmίϚϯυʹύοέʔδ ͷ੬ऑੑݕ(npm audit)͕Έࠐ·ΕͨͷͰɺࠓޙੵۃతʹ͏ ཧ༝ͳ͍ • GitHubϦϙδτϦΞʔΧΠϒԽ͞Ε͍ͯΔ
`nsp check`
npm audit •
[email protected]
,
[email protected]
͔Β͑ΔΑ͏ʹͳͬͨ • npm installͨ͠ࡍʹࣗಈతʹ࣮ߦ͞ΕɺαϚϦ͕දࣔ͞ΕΔʢҎԼʣ •
[email protected]
͔Βjsonग़ྗ(`npm audit —json`)੬ऑੑͷ͋Δύοέʔδͷࣗ ಈߋ৽(`npm audit fix`)ػೳ͕Ճ͞ΕɺΑΓ͑ΔΑ͏ʹͳͬͨ • nspͷڍಈͱޓੑͳ͍ • Ұ෦ͷύοέʔδؚ͕·Ε͍ͯΔͱΤϥʔʹͳΔ߹͕͋Δ (nspͳΒେ ৎͳͷʹ…) https://github.com/npm/npm/issues/20604
`npm audit`
yarnͷ߹ • nspnpm audityarn.lockʹඇରԠ - nsp: package.json͚ͩͰ੬ऑੑใදࣔ - npm audit:
ΤϥʔʹͳΔ
yarnͷ߹ 1. (nspͷ߹ͷΈ) [nsp-preprocessor-yarn](https://github.com/ hermanbanken/nsp-preprocessor-yarn) Λ͏ • ੵۃతʹ͏ཧ༝ͳ͍ 2. [synp](https://github.com/imsnif/synp)Ͱyarn.lockΛpackage-
lock.json ʹม͢Δ 3. `yarn install` ͨ͠ޙʹ `npm shrinkwrap` ͢Δ 4. ͍ۙ͏ͪʹ `yarn audit` ͕Ͱ͖ͦ͏ʁ https://github.com/yarnpkg/yarn/issues/5808
CIͰ͏ • CircleCIͷScheduling JobΛͬͯఆظతʹ࣮ߦ • िҰճ: ΞυόΠβϦҰཡΛSlackʹ௨ • ৄࡉCircleCIͷ࣮ߦϩά͔ΒݟΔ(ҎԼྫ)
• ຖ: ΞυόΠβϦҰཡʹมԽ͕͋ΕSlack௨ (લճͷ࣮ߦ ݁ՌΛCircleCIͷΩϟογϡʹอଘͯ͠ൺֱʹ͏)
ӡ༻ͯ͠Έͯ • ݕग़͞ΕΔ੬ऑੑͷߋ৽සଟ͍ͷͰɺӡ༻ίετ͚ͬ͜͏ େ͖͍ • ྫ: webpackͷ੬ऑੑݕࠪͯ͠Έͨ߹ • ҎԼͷྲྀΕͰௐ͍ࠪͯ͠Δ 1.
ৄࡉ(େମHackerOneͷϦϯΫ͕͍͍ͭͯΔ)Λݟͯ੬ऑੑͷ ༰ɺൃੜ݅Λ֬ೝ 2. ϥΠϒϥϦͷ༻్ͱরΒ͠߹ΘͤͯϦεΫ͕͋Δ͔அ ʢϏϧυ༻్ͷϥΠϒϥϦͰ͋ͬͯඞͣ҆શͩͱݴ͑ͳ͍ɻ੬ ऑੑͷ༰࣍ୈʣ
ӡ༻ͯ͠Έͯ • ύονग़ͯͳ͍ͷ͕݁ߏଟ͍ • “It is our recommendation to not
install or use this module at this time.” • ͳ͔ͳ͔͙͢ʹରԠ͍͠ • npmʹΈࠐ·Εͨ͜ͱͰɺͬͱରԠ͞Ε͍ͯ ͘ & ରԠ͞Εͳ͍ύοέʔδࣗવ౫ଡ͞Ε͍ͯ ͘Α͏ʹͳΔ͜ͱΛظ
͝ਗ਼ௌ͋Γ͕ͱ͏͍͟͝·ͨ͠ • ϝϧΧϦͰSET (Software Engineer in Test) ͷϝϯόʔΛਵ࣌ืूதͰ͢
urahiroshi
matsuo_atsushi
akiomatic
yaotti
k1mu21
javiergs
har1101
shomafujita
geekplus_tech
kuranuki
naruse
chobishiba
izumin5210
colly
3n
addyosmani
jdejongh
charlesmeaden
paigeccino
techseoconnect
tmiket
jct
aleyda
coloredviolet
![npm audit • [email protected], [email protected]͔Β͑ΔΑ͏ʹͳͬͨ • npm installͨ͠ࡍʹࣗಈతʹ࣮ߦ͞ΕɺαϚϦ͕දࣔ͞ΕΔʢҎԼʣ •](https://files.speakerdeck.com/presentations/8fdf6c88394d4756ab2683803de9bfba/slide_5.jpg){kind=link}
 Λ͏ • ੵۃతʹ͏ཧ༝ͳ͍ 2. [synp](https://github.com/imsnif/synp)Ͱyarn.lockΛpackage-](https://files.speakerdeck.com/presentations/8fdf6c88394d4756ab2683803de9bfba/slide_8.jpg){kind=link}
