|
|
|
|
Ask HN: How do you (security) audit external software using NPM packages? |
|
5 points by BjornW 1 hour ago | hide | past | favorite | 1 comment |
|
|
Hi,
At my current client I've been doing more and more security related tasks such as audits on external software. Currently the type of software I audit are WordPress plugins. I have more than 15yrs of experience with WordPress and in the past I could fairly easily assess a WordPress plugin's potential security impact(s). Nowadays not so much due to the seemingly increased usage of npm packages included with these plugins.
Often these plugins do not include a package.json, package-lock.json nor are the javascript files readable (bundled & minified). This makes using npm audit near impossible. Good for production, less for audits.
Sometimes I can grab development files such as package.json, package-lock.json from a public repo, but in the case of so-called 'premium' plugins a public repo is usually absent.
So my question is: How do you (security) audit external software depending on npm packages?
|
|
|
|
|
Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact
|
from Hacker News https://ift.tt/3EFL9SX
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.