Snyk helps you find, fix and monitor for known vulnerabilities in Node.js npm packages, both ad hoc and as part of your CI (Build) system.
snyk [options] [command] [package]
The package argument is optional. If no package is given, Snyk will run the command against the current working directory allowing you test you non-public applications.
Run snyk --help
to get a quick overview of all commands.
To continuously avoid known vulnerabilities in your dependencies, integrate Snyk into your continuous integration (CI, a.k.a. build) system. Here are the steps required to to so:
- Install the Snyk utility using
npm install -g snyk
. - Run
snyk wizard
in the directory of your project following the prompts which will also generate a.snyk
policy file. - Ensure the
.snyk
file you generated was added to your source control (git add .snyk
). - If you selected to, Snyk will include
snyk test
as part of yournpm test
command, so if there are new vulnerabilities in the future, your CI will fail protecting you from introducing vulnerabilities to production.
Once you’re vulnerability free, you can put a badge on your README showing your package has no known security holes. This will show your users you care about security, and tell them that they should care too.
If there are no vulnerabilities, this is indicated by a green badge.
If vulnerabilities have been found, the red badge will show the number of vulnerabilities.
Get the badge by copying the relevant snippet below and replacing "name" with the name of your package.
HTML:
<img src="https://snyk.io/package/npm/name/badge.svg" alt="Known Vulnerabilities" data-canonical-src="https://snyk.io/package/npm/name style="max-width:100%;">
Markdown:
[![Known Vulnerabilities](https://snyk.io/package/npm/name/badge.svg)](https://snyk.io/package/npm/name)
If using this package from the repo directly, you'll need to first build the custom lodash by running:
npm run build
This will create a dist
directory with the minimal lodash file.
When using the package via npm, the build is not needed as the dist
directory is already included in the npm package.
We monitor existing node.js security portals and tools, such as Node Security Project, the nodejs-sec Google Group, or Retire.js. We also monitor Github activity and other online sources for new vulnerabilities.