5 Ways to Get Node.js Vulnerability Alerts

Guy Podjarny's avatar Guy Podjarny

Here at Snyk, we maintain a database of known vulnerabilities in Node.js and front-end npm packages, called Vulnerability DB (also on GitHub). For each vulnerability, it includes a description of the vulnerability, additional references, and most importantly, how to remediate it. The remediations offered are typically either to upgrade to a new version of the package, or - for cases when you cannot or will not upgrade - to apply a patch created by the Snyk security team.

The best way to make sure your project (including all of its dependencies) is constantly monitored for new security risks is have Snyk monitor your specific dependencies for relevant new vulnerabilities. You can do so once using snyk wizard or track your dependencies continuously by adding snyk monitor to your deployment process. This way you’ll get a Snyk alert only for issues in the dependencies your specific project uses.

However, if you also want to get notified about all the new vulns we add to our DB, here are a few IFTTT recipes you’ll find useful. They’re all based on the Vulnerability DB RSS feed, so feel free to make your own recipes!

Slack messages

Vulnerability alerts via Slack

Email messages

Vulnerability alerts via Email

Twitter direct messages

Vulnerability alerts via RSS

Trello cards

Vulnerability alerts via Trello

Text messages

Fixing SQL Injection: ORM is not enough

June 08, 2016

Using a programmable SQL interface such as an ORM (Object Relational Mapping) is a good way to reduce risk of SQL Injection, which is a very bad vulnerability to have. However, ORM packages are not bullet proof. This post explains why you shouldn't put all your SQL Injection protection eggs in the ORM basket, and what more can you do.

Fixing `marked` XSS vulnerability

May 16, 2016

A recently published vulnerability in the npm `marked` package shows how attackers can use the flexibility of the Markdown format to introduce Cross-Site Scripting vulnerabilities. This post explains the issue and the fix, and discusses the difficulty of sanitizing complex user input.

Subscribe to The Secure Developer Podcast

A podcast about security for developers, covering tools and best practices.

Find out more

Interested in web security?

Subscribe to our newsletter:

Get realtime updates and fixes for JavaScript, Ruby and Java vulnerabilities that affect your applications