Mitigating security risks with NodeJS
What is the best way to manage node JS security issues?
Published: Wednesday, Oct 13, 2021 Last modified: Wednesday, Mar 29, 2023
I’m new to supporting a complex production nodejs project.
My gut feeling was to employ package management tools like:
- npm audit
- npx depcheck
- npx npm-check-updates
However npm audit oftens flags high issues, which are largely the problem of the underlying dependencies. The risks are really hard to gauge. Most of the time they feel like false alerts.
So now what?
Ensure every package is updated to keep a better security posture? That’s an endless treadmill.
There are plenty of tools, though I am missing a good conservative philosophy.