Context
I have created and shared a Github project to help developers quickly deploy a Vuejs application using docker taking advantage of containerization capabilities offered by the Docker engine.
Once cloned, the project includes a folder app
that has the minimal npm dependencies necessary for a Vuejs application. Thanks to GitHub code scanning enabled with Dependabot, it has identified high-priority, exploitable security issues in your code.
GitHub security advisory
When a security vulnerability is discovered in your project’s source code, GitHub sends an immediate notification to your email address with a comprehensive overview.
Identification of vulnerable packages
All alerts were raised because of vulnerable npm development dependencies:
Fixing the vulnerabilities
Cloning the project locally
git clone https://github.com/ciphersweet/vue-docky.git
cd vue-docky/app/
Even though GitHub scans our source code, it is wiser not to be fooled by appearances. There is an npm command that looks for vulnerabilities in used npm packages that are currently being used.
Let’s find out by running this command:
npm audit
While revising the audit report, I identified 64 vulnerabilities comming from dependencies. The key here is getting to the root package and fixing it.
Vulnerable packages
"dependencies": {
"core-js": "^3.6.5",
"vue": "^3.0.0"
},
"devDependencies": {
"@vue/cli-plugin-babel": "~4.5.0",
"@vue/cli-plugin-eslint": "~4.5.0",
"@vue/cli-service": "~4.5.0",
Fixed by updating them
"dependencies": {
"core-js": "^3.27.1",
"vue": "^3.2.45"
},
"devDependencies": {
"@vue/cli-plugin-babel": "^5.0.8",
"@vue/cli-plugin-eslint": "^5.0.8",
"@vue/cli-service": "^5.0.8",
Let's find out
Conclusion
To maintain the security of a project, it is essential to continuously review and update the source code, using safe coding practices and keeping up to date with the latest security standards and vulnerabilities.