Ask HN: How do you keep track of node packages/ruby gems security issues?

71 points by meop ↗ HN
For some reason vulnerabilities in node packages and ruby gems are not commonly assigned CVE IDs (pip packagea, for example, get CVEs and it's easy to follow).

How do you guys keep your packages secure? I am aware of the commercial services that solve this issue (snyk, nodesecurity) but I am looking for a free solution

24 comments

[ 2.6 ms ] story [ 57.2 ms ] thread
OP specifically mentions this as something he already knows about. Not a very useful suggestion.
OP ruled it out because it's not free, but private projects are free for low-volume testing.
For gems I use `bundler-audit`, see: https://github.com/rubysec/bundler-audit

It checks for vulnerable versions of gems in `Gemfile.lock`, checks for insecure gem sources, allows ignoring certain advisories that have been manually worked around, prints advisory information and does not require a network connection.

One of my workmates open-sourced this: https://github.com/livingsocial/bundler-patch

...which is mostly what we used internally for working with bundler-audit. We ran this scan in CI, on deploy, and also on a cron for apps that might not have deployed in a while. Internally this created PRs automatically, and PRs triggered CI, so eg when a nokogiri CVE was announced (which affects a lot of projects), all apps would have tested PRs ready to merge.

That piece wasn't open-sourced I think...it's fairly trivial but I'll see if I can get it released. We also did scans on clojure projects, again I'm not sure that's made it out into the world, I'll look into it.

$ rm -rf node_modules $WHEREVER_GEMS_ARE_INSTALLED
Sqreen.io does this for ruby gems as part of its offering.
For ruby gems: https://www.deppbot.com

Deppbot periodically runs bundle update and creates a pull request for you to review. They also track security releases and generate a pull request.

The description in the PR links to the gem changelogs, which makes it easy to investigate and evaluate pending changes.

I would love to see a node version of this service.

(comment deleted)
Not sure about node but for Rails, Hakiri has been pretty useful -

https://hakiri.io/

It's set up as a github webhook to run as part of your build, and it usually flags vulnerabilities in recent gems or Rails versions.

Hmmm, anything equivalent for Go?

Vendoring in Go is nice and all, but it doesn't really touch on alerting for when vendored (etc) packages announce security problems needing an upgrade.

To me, this seems like an actual problem the Go ecosystem could benefit from addressing well. :)

Hi, I've recently started a new project called Octotrack (http://octotrack.tiagoalves.me) with two main goals:

1) Manage dependencies (right now only gems) showing security issues (CVEs), gem version comparisons, release notes, etc; 2) Daily newsletter to find the best repositories on Github (starred repos from the people you follow, daily trending repos and new releases of repos you've starred);

It is still a very early project so it would be great to get your feedback.

Thank you