[ghiculescu]

In ruby land, there's a great gem - https://github.com/rubysec/bundler-audit - that lets you know when specific gem versions have a known security vulnerability.

We run it as part of our CI. When a vulnerability drops, it gets fixed pretty quickly since otherwise everyone's build fails.

Does anyone know of any equivalents for the JS world? A quick google finds https://github.com/nodesecurity/nsp but keen to hear what other people are doing.

[RKoutnik]

Snyk, the site hosting this article, provide such a service: https://snyk.io/

[bugmen0t]

Sure, there's retire.js at https://retirejs.github.io/retire.js/

[libertymcateer]

What do you use for CI?

And yes, that is a great question. I would love to know. I guess, however, the follow-up question is how current the audit package is kept. It seems like this is the sort of thing that would need -constant- update in order to be useful. However, as is often the case, please do correct me if I am wrong.

Edit: one of the folks from Snyk responded to me below: https://snyk.io/ This seems to be what they do. No endorsement, but this certainly seems interesting.

[EvanDotPro]

I haven't researched the JS options in this space yet either, but if anyone reading is looking for something like this for PHP, there is Roave Security Advisories — https://github.com/Roave/SecurityAdvisories

Add it to your composer.json and it will simply conflict with all lib versions with known vulnerabilities.

The data source used (https://github.com/FriendsOfPHP/security-advisories) has an excellent history of keeping up-to-date.

Disclosure: I'm the founder of Roave.

[sverweij]

We're currently using nsp - it checks advisories on nodesecurity.io against our _direct_ dependencies & devDependencies.

For my private projects I use both nsp and bithound. Bithound apparently uses snyk, which checks both direct _and_ indirect dependencies.

Both nsp and snyk use central repos of vulnerabilities - and both are backed by a business with a vested interest to keep these up to date (^lLift and Snyk respectively).

Don't get the hassle about upgrading to latest versions though. It's super easy to automate (ncu --upgrade && npm i && npm test).

[adminu]

I build a Haskell program that checks the RSS-feed that you can download from Snyk against a package.json file of an NPM-project. I do not have some of my projects on github and never will have. I am especially alergic to providing anybody access to my private repos if i do not have to, so... https://github.com/phuhl/SnykVulnChecker

[azeirah]

Related in nneteor land eksists this: http://www.east5th.co/blog/2015/12/07/scanning-meteor-projec....

[guypod]

Rubysec is awesome but outdated, lacks many of the vulnerabilities in https://Snyk.io/

Also, Snyk covers JS issues, both Nodd and client side

[phillmv]

>Rubysec is awesome but outdated, lacks many of the vulnerabilities in https://Snyk.io/

I'm one of the Rubysec maintainers.

If you're reading this and you know about vulns not present in the advisory-db, please submit a PR to the github repo, or use the crappy form we put together: https://rubysec.com/advisories/new

I too run a vulnerability notification service, and it's frustrating when other people use public data but don't contribute back.

[ghiculescu]

Thank you for maintaining such a great service! You should promote your service as part of it.

[mistercow]

It sounds like these Snyk folks have a CLI that can check your node modules against their database. I haven't tried it though, so all I have to go on is their feature page.

[aviadR]

There is also a way to test on the website, if your project is hosted

[narsil]

Nice. Is there an equivalent for Python? A quick Google search doesn't seem to pull up anything obvious.

[ubernostrum]

See https://requires.io/ for this as a service with source-control integration.

[mdzn]

I'd recommend safety for Python.

https://github.com/pyupio/safety