14 Secure dependencies

 

This chapter covers

  • Exploring how blindly trusting dependencies can lead to dangerous attacks
  • Detecting vulnerable npm packages used in a project
  • Discovering whether NuGet packages in a project are vulnerable
  • Automating testing for vulnerable packages

The JavaScript package ua-parser-js (www.npmjs.com/package/ua-parser-js), available via npm, enjoys quite a bit of popularity. The library provides functionality to detect the browser type the client is using, including information about the operating system; device features such as type, model, and CPU; and much more. The package is pretty useful, especially considering how confusing the user agents in modern browsers can be. Here’s one from Microsoft Edge 98 on an iPad:

Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/605.1.15 (KHTML, like Gecko) EdgiOS/98 Version/13.0.3 Safari/605.1.15

On Windows, the same browser has the following identification string:

Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.80 Safari/537.36 Edg/98.0.1108.50

But wait, it gets better—here’s Edge 99 on iPad:

Mozilla/5.0 (iPad; CPU OS 15_4 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) EdgiOS/99.0.1150.52 Version/15.0 Mobile/15E148 Safari/604.1

14.1 Using npm audit

14.2 Keeping NuGet dependencies up-to-date

Summary