►
From YouTube: Josh Emerson - Node.js Live London
Description
In this Node.js Live presentation, Josh looks at how to mitigate risks when it comes to npm packages.
A
A
Well,
the
reason
is
because,
as
most
of
you
apparently
use
NPM
every
day,
you
know
how
valuable
it
is
and
we've
had
loads
of
stats
about
NPM
already
so
I
feel
like
we've
had
stats
overload,
but
I
like
this
one,
1
billion
downloads
per
week,
I
mean
that's
you,
sir.
That's
a
lot
of
you,
so
you
know
it's
one
thing
to
have
a
lot
of
packages,
but
how
often
are
they
being
used
here?
We've
got
a
very
active
community
and
do
you
know
which
dependencies
you
have
well?
A
I
hope
that
most
of
you
who
are
using
NPM
with
know
which
dependencies
you
have,
if
you
don't
just
look
in
your
package.json,
but
I
think
it
was
mentioned
earlier.
It's
not
just
the
packages
that
you'll
directly
pulling
in
this
is
expressed
by
the
way,
and
it
just
shows
the
graph
of
like
what
is
being
depended
upon
and,
as
you
can
see,
there's
a
whole
bunch
of
dependencies
that
its
dependencies
rely
on.
I
like
to
call
them
sub
dependencies.
I
don't
know
what
the
actual
proper
term
is.
A
Better
sub
dependency
seems
clear
and
theres
forty-two
nodes
there
and
I
like
to
also
look
at
all
the
faces.
Those
are
the
people.
Who've
worked
on
stuff
have
a
laser.
I
should
use
it
there.
We
go,
maintain
us
there,
so
you
can
see
that
there's
a
lot
of
different
people
contributing
to
the
code
base.
So,
as
I
said,
mpm
is
awesome,
but
every
dependency
is
a
potential
security
risk.
A
You
don't
know
whether
there
is
a
vulnerability
in
there
necessarily
how
much
security
expertise
has
the
author
of
that
package
hat
and
did
they
go
through
any
security
testing?
We
talked
a
lot
about
unit
tests
and
integration
tests,
but
we
probably
don't
talk
as
much
as
we
should
about
security
tests
and
are
there
any
known
vulnerabilities
now,
maybe
some
of
you
will
look
at
the
issues
tab
when
you're
choosing
a
new
dependency
and
try
and
get
a
good
idea
of
the
health
of
this
dependency.
A
But
how
many
times
do
you
revisit
and
go
back
to
dependencies?
You
may
be
pulled
in
six
months
ago
and
see
if
anything's
come
up
so
then,
interestingly,
fourteen
percent
of
dependencies
do
carry
known
vulnerabilities
and
our
users,
seventy-six
percent
of
them,
have
found
vulnerabilities
in
their
apps.
So
this
is
a
very
real
problem.
A
So
there's
two
questions
that
you
might
be
asking:
how
do
I
protect
myself
and
can
I
learn
from
these
vulnerabilities,
so
I'm
going
to
do
a
bit
of
live
coding
now
to
be
a
hacker?
Basically,
so
I've
got
this
app
here
called
goof
and
it's
a
super
vulnerable
to
do
list
application
this
yeah.
This
is
obviously
a
bit
of
a
straw
man.
This
is
not
a
real
life
example,
but
the
packages
that
you'll
see
that
it
pulls
in
are
commonly
used
packages
that
you
might
well
have
in
your
code
bases.
A
So
here's
goof
and,
as
you
can
see
it's
a
pretty
standard
to-do
list
application.
You
can
do
things
like
buy
milk,
it's
kind
of
a
hello
world
of
single
page
apps,
and
if
I
have
a
look
here
on
this
is
snic
I
can
test
my
github
repositories,
so
I've
already
logged
in
with
github,
and
if
I
go
down
here
to
goof,
you
can
see
that
it's
already
found
out.
A
A
A
Here
we
go
Isaac's
yeah
and
anyway,
so
if
I
have
a
look
here
in
the
command
line,
so
well,
first
of
all,
if
I
go
to
the
about
page,
so
this
is
a
static
page.
That's
been
served
off
about
dot
HTML.
What
do
you
think
is
going
to
happen?
Then,
if
I
go
to
dot
dot
slash?
This
is
what
hackers
do
by
the
way
they
go
to
dot
dot.
Slash,
what's
going
to
happen,
hands
up
anyone.
A
See
the
files,
luckily
for
us
we
just
go
back
to
the
homepage.
That's
cool
that!
Actually,
this
wasn't
a
fair
test,
because
chrome
is
clever
enough
to
do
directory
traversal
before
it
makes
the
request.
So
all
it's
going
to
do
is
make
the
request
to
the
homepage.
That's
why
we
have
to
go
into
our
terminal
here.
So
I've
got
one
I
prepared
earlier,
I'm
just
going
to
curl.
So,
first
of
all,
there's
the
about
page,
pretty
cool.
We
got
the
HTML,
that's
what
we
expected
so
again,
dot
dot,
slash
and
we
got
the
homepage.
A
That's
fun!
That's
what
we
hoped
would
happen.
It's
exactly
the
same!
But
if
we
have
a
look
here
at
the
vulnerability
in
more
detail,
you
can
see
here
there's
something
about
percent
to
e.
Now
percent
to
e
is
the
same
as
a
dot
but
its
URL
encoded.
So
we're
going
to
do
the
same
thing
again
now,
but
replace
dot
dot,
slash
with
percent
to
e.
Now,
what's
going
to
happen
any
guesses,
all
right,
we
got
to
the
code
base
so
now
we're
actually
looking
at
the
code
which
we
weren't
actually
intending
to
expose
vehicle.
A
So
you
can
see
how
this
might
not
be
something
that
you
want
on
production
servers.
Luckily,
on
Mac
I
have
been
told
that
there's
nothing
too
vulnerable
inside
of
the
EDC
password.
But
what
have
you
got
on
your
server?
Maybe
I,
don't
know
AWS
access
token
or
you
don't
know
what's
lying
around,
but
you
probably
don't
want
be
able
to
know
that
much
about
what's
running
your
server.
So
that's
st
and
now,
let's
have
a
look
at
mark
2.
Here's
use
marked
it's
a
markdown
pazza,
not
that
many.
A
A
This
is
what
sanitize
is
doing
its
finding
something
that
looks
like
it's
not
meant
to
be
there
and
it's
not
allowing
us
to
do
it
so
that
worked
now,
we're
not
going
to
use
URL
encoding,
but
we're
going
to
use
HTTP
entities
which
are
very
similar,
they're
just
another
way
to
encode
strings.
So
this
is
the
equivalent
to
javascript
alert
one.
What's
going
to
happen
now
that
I've
encoded
it.
A
It
even
caught
at
that
time,
interestingly,
deposit,
is
something
slightly
different.
There
was
that
road
corner
brackets
on
the
last
one,
but
it's
catching
it
when
not
vulnerable,
and
this
is
interesting,
so
I
did
it.
This
is
what
I
just
did.
This
was
the
previous
one
now
I'm
going
to
put
the
word
this
in
here
now.
This
is
not
a
valid
HTTP
entity,
but
the
browser
is
generous.
A
It
wants
to
understand
what
you
wanted
it
to
do,
and
so
it's
going
to
sort
of
coerce
this
into
an
HTML
empty.
It's
like
okay,
you
forgot,
the
semicolon,
will
forgive
you
so
we
gotta
link
and
when
I
click
it
we
get
an
alert,
so
I
mean
that's
all
well
and
good.
It's
just
an
alert,
but
javascript
has
access
to
your
cookies.
It
has
access
to
anything
pretty
much
that
the
user
has
access
to.
So
it's
very
easy
to
impersonate,
a
user
take
over
their
session
now
you're
in
as
them.
A
What
do
you
want
to
do?
Maybe
I
don't
know,
put
them
on
the
premium
tier
of
the
Billings
plan.
I
don't
know,
maybe
change
their
email
address
to
your
email
address.
I
don't
know
what
you
want
to
do
so
yeah,
that's
a
problem,
and
the
final
thing
that
I'm
going
to
show
you
today
is
one
that
I
think
a
few
more
of
you
might
have
used,
oh
and
by
the
way,
I've
forgot
to
show
you
with
this
marked
one.
There
is
no
new
version
of
marked
available
yet
that
fixes
that
bug.
A
A
But
the
key
thing
is
you
can
see
what
the
patch
is
actually
going
to
do
to
your
code
is
just
a
diff
of
lines
that
are
going
to
be
changed
and
we
try
and
do
the
least
that
we
can
do
to
cover
up
that
vulnerability,
but
yeah
going
back
to
Mongoose,
so
Mongoose
is
for
accessing
MongoDB.
Who
here
has
used
mungus
right
I'd,
say:
probably
more
than
half
of
you
have
used
this
library
and
so
yeah.
There's
a
potential
vulnerability
here
and
I'm
going
to
go
and
have
a
look
in
a
bit
more
detail
here.
A
So
the
issue
here
actually
relates
to
something
quite
low
level.
Inside
of
node
there's
a
buffer
and
a
buffers
good
for
sending
binary
data,
you
can
initialize.
If
one
of
two
ways
you
can
either
initialize
it
with
a
number
or
a
string
if
you
initialize
it
with
a
number.
What
you're
saying
is
I
want
to
uninitialized
memory?
Please
and
give
me
a
length
of
memory
like
I
need
a
hundred
bites
if
you
initialize
it
with
a
string,
you
say:
give
me
a
buffer
and
set
the
value
to
this
thing.
A
Co
or
yes,
so
I'm
using
HTTP,
because
it's
a
little
cleaner
to
read
but
I'm
going
to
buy
some
beer
because
I
haven't
had
enough
free
beer
at
this
event
today.
So
let's
send
that
up
and
if
I
refresh
the
page
we
just
added
something
via
the
terminal
cool.
So
we
don't
we're
not
just
stuck
with
doing
content
equals
as
sort
of
HTTP
entities.
Here.
Sorry,
HTTP
encoding
form
encoding.
That's
what
I'm
trying
to
say.
We
can
also
send
Jason
because
we're
running
a
node
server
and
we've
enabled
that
feature
as
I'm
sure.
A
A
But
in
the
case
of
brevity,
I'm
not
going
to
show
you
how
to
actually
sort
of
convert
this,
but
you
could
get
again
qies
user
information,
anything
that's
in
memory,
so
whatever
your
server
was
just
accessing
and
didn't
reset
the
memory
on
the
reason
why
the
buffer
is
a
able
to
be
accessed
in
such
a
way
because
it
is
a
big
vulnerability
is
speed
like
if
you
don't
have
to
zero
out
all
of
that
memory.
It's
quicker,
but
this
is
not
how
you
were
meant
to
use
it.
A
So
yeah
I
mean
that's
that's
something
to
be
aware
of.
So
the
last
thing
I'm
going
to
show
you
like
any
good
citizen,
is
how
to
fix
all
of
these
things
if
you're
using
snook-
and
this
is
a
big
plug
by
the
way
so
I
apologize
but
I'm
going
to
do
it
anyway,
you
can
click
the
fixed
vulnerabilities
button,
so
I'm
yeah
it's
easy
and
what
happens?
It
takes
a
little
while,
but
it's
going
to
create
a
pull
request
on
github
because
I've
already,
given
it
permission
now,
we've
got
our
pull
request
here.
A
I
can
have
a
look
at
what
the
change
includes.
It's
a
it's
updated
all
of
the
Express
modules
to
the
latest
of
all
the
modules
that
had
vulnerabilities
to
the
later
version
that
fixes
the
issue
and
where
it
couldn't
actually
fix
the
issue.
It's
going
to
patch
it
so
and
the
way
that
that
actually
works,
which
was
something
that
Ashley
mentioned
earlier,
is
through
a
pre
publish
script
that
it
adds
in
there.
A
Please
do
not
use
the
information.
I
just
showed
you
to
hack
people's
websites.
This
was
given
in
good
faith
and
I'm,
hoping
that
you're
better
than
that.
It's
actually
illegal.
To
do
that
can
act
your
own
websites
and
but
how
do
you
protect
yourself?
And
what
can
you
learn?
Well,
there
are
some
things
that
you
can
do
to
protect
yourself.
You
can
address
known
vulnerabilities
by
fying
them,
fixing
them
either
by
upgrading,
where
there's
a
newer
version
available
or
patching
them.
A
If
there's
no
upgrade
available,
then
you
need
to
prevent
adding
new
dependencies
that
suffer
from
vulnerabilities
over
time
because
code
bases
change,
but
also
respond
quickly
to
vulnerabilities
that
are
found
because
a
vulnerability
can
be
found
at
any
point
in
time.
And
what
can
you
learn?
Well,
the
things
that
we
learned
today-
and
this
is
obviously
not
an
exhaustive
list,
but
you
should
consider
in
coatings.