What tools do you use to monitor for NPM and other dependency vulnerabilities?

2 pointstiagom876mo ago2 comments

Following the npm hack, I think this is an attack vector that will get more popular in the short term. What tools beside npm audit and dependabot, do you use to monitor for dependency security vulnerabilities?

2 comments

patrick4urcloud6mo ago

Hello, We add a check in npm packages in kexa.io .

see https://medium.com/@contact_52772/malicious-npm-packages-aut... .

For futur we can add a call to an open source api to list the ban packages. Thank you, Patrick

palmfacehn6mo ago

My strategy has been to limit my exposure to the larger NPM/Node.js ecosystem. I'll use it only in limited cases where a front-end dependency is required.

j / k navigate · click thread line to collapse