Need

Prevent security vulnerabilities arising from dependencies that cannot be upgraded

Context

• Usage of JavaScript for developing modern web applications
• Dependency management using npm or yarn for package installation

Description

Non compliant code

        /my-project
  │── /node_modules  <-- 🚨 Dependencies added to the project
  │   ├── lodash/
  │   ├── express/
  │   └── axios/
  │── index.js
        
        

Dependencies are downloaded and added directly to the project without using a version manager.

In this example, the node_modules folder with three dependencies was added to the project, but there is no package.json file.

Steps

• Identify all the dependencies used in the code
• List all dependencies explicitly in the package.json file to allow proper version control and tracking
• Use version ranges (e.g., ^ or ~) instead of fixed versions to allow safe updates
• Regularly update the dependencies to the latest versions to ensure security patches and bug fixes are applied
• Consider using a dependency management tool to automate the process of managing and updating dependencies

Compliant code

        /my-project
  │── .gitignore
    node_modules/
  │── package.json
     {
       "dependencies": {
         "lodash": "4.17.21",
         "express": "4.19.2",
         "axios": "1.4.0"
       }
     }
        
        

Dependencies are defined in a package.json file so that a package manager like npm or yarn can track them and identify if they need updates.

Additionally, the node_modules folder is excluded in the .gitignore file to prevent it from being added to the repository. When cloning the repository, dependencies must be installed using npm install.

References

• 079. Non-upgradable dependencies