Third-Party Dependency Security Vulnerabilities | Blue Frog Docs

Third-Party Dependency Security Vulnerabilities

Diagnose and fix security vulnerabilities in npm packages, JavaScript libraries, and other third-party dependencies

Third-Party Dependency Security Vulnerabilities

What This Means

Modern web applications rely on hundreds of third-party libraries and dependencies (npm packages, JavaScript libraries, WordPress plugins, etc.). These dependencies can contain security vulnerabilities that attackers can exploit to compromise your website, steal user data, or gain unauthorized access to your systems.

Common Dependency Vulnerabilities

Known CVEs (Common Vulnerabilities and Exposures):

  • Publicly disclosed security flaws
  • Assigned CVE numbers
  • Rated by severity (Critical, High, Medium, Low)
  • Have patches/updates available

Outdated Packages:

  • Old versions with known vulnerabilities
  • No longer maintained packages
  • Missing security patches
  • Deprecated dependencies

Malicious Packages:

  • Typosquatting (similar names to popular packages)
  • Compromised packages
  • Backdoors in dependencies
  • Supply chain attacks

Transitive Dependencies:

  • Vulnerabilities in dependencies of dependencies
  • Hard to track and update
  • Often overlooked

Impact on Your Business

Security Breaches:

  • Data theft - customer data stolen
  • Site compromise - attackers gain control
  • Malware distribution - infect visitors
  • Cryptocurrency mining - use visitor resources
  • Backdoor access - persistent attacker access

Legal & Compliance:

  • GDPR violations (data breach)
  • PCI DSS compliance failures
  • Legal liability
  • Mandatory breach notifications
  • Fines and penalties

Business Impact:

  • Lost customer trust
  • Brand damage
  • Revenue loss
  • Downtime
  • Cleanup costs
  • Legal fees

Examples of Major Incidents:

  • Event-stream package (Bitcoin theft)
  • Lodash prototype pollution
  • jQuery XSS vulnerabilities
  • Vulnerable WordPress plugins

How to Diagnose

Check for vulnerabilities:

# Run security audit
npm audit

# Get detailed report
npm audit --json

# Production dependencies only
npm audit --production

# Check specific severity
npm audit --audit-level=high

What to Look For:

  • Critical and High severity issues
  • Number of vulnerabilities
  • Affected packages
  • Available fixes

Method 2: Snyk

Free and comprehensive scanning:

# Install Snyk
npm install -g snyk

# Authenticate
snyk auth

# Test for vulnerabilities
snyk test

# Monitor project
snyk monitor

# Test and fix
snyk test --all-projects

Features:

  • Detailed vulnerability information
  • Fix suggestions
  • Automated PR creation
  • Continuous monitoring

Method 3: GitHub Dependabot

Automatic dependency scanning:

  1. Enable Dependabot in repository settings
  2. Dependabot scans dependencies automatically
  3. Creates alerts for vulnerabilities
  4. Optionally creates automated PRs to fix

What to Look For:

  • Security alerts in GitHub
  • Dependabot PRs
  • Vulnerability severity
  • Available updates

Method 4: OWASP Dependency-Check

Comprehensive dependency analysis:

# Download and run
dependency-check --project "MyProject" --scan ./

# Generates report of vulnerabilities

Method 5: Manual Package Checking

Check specific packages:

# Check single package
npm view package-name

# See all versions
npm view package-name versions

# Check for updates
npm outdated

# Check package on npm
https://www.npmjs.com/package/package-name

Look at:

  • Last publish date
  • Maintainer activity
  • Download count
  • GitHub issues
  • Security tab on npm

General Fixes

Fix 1: Update Vulnerable Dependencies

Update to latest safe version:

# Update all dependencies
npm update

# Update specific package
npm update package-name

# Update to latest (including major versions)
npm install package-name@latest

# Fix vulnerabilities automatically
npm audit fix

# Fix including breaking changes
npm audit fix --force

Check what will change:

# See what would be updated
npm outdated

# Preview audit fix
npm audit fix --dry-run

Fix 2: Use Lock Files

Ensure consistent, secure versions:

# package-lock.json (npm)
npm install

# yarn.lock (Yarn)
yarn install

# Commit lock files to version control
git add package-lock.json
git commit -m "Update dependencies"

Benefits:

  • Consistent installs across environments
  • Prevents unexpected updates
  • Easier to audit specific versions
  • Reproducible builds

Fix 3: Automate Dependency Updates

Dependabot configuration (.github/dependabot.yml):

version: 2
updates:
  - package-ecosystem: "npm"
    directory: "/"
    schedule:
      interval: "weekly"
    open-pull-requests-limit: 10
    versioning-strategy: increase
    labels:
      - "dependencies"
      - "security"

  # Security updates only
  - package-ecosystem: "npm"
    directory: "/"
    schedule:
      interval: "daily"
    open-pull-requests-limit: 5
    allow:
      - dependency-type: "security-updates"

Renovate Bot:

{
  "extends": ["config:base"],
  "packageRules": [
    {
      "matchUpdateTypes": ["patch", "pin", "digest"],
      "automerge": true
    },
    {
      "matchDepTypes": ["devDependencies"],
      "automerge": true
    }
  ],
  "vulnerabilityAlerts": {
    "enabled": true
  }
}

Fix 4: Implement Security Scanning in CI/CD

GitHub Actions workflow:

# .github/workflows/security.yml
name: Security Scan

on:
  push:
    branches: [ main ]
  pull_request:
    branches: [ main ]
  schedule:
    - cron: '0 0 * * 0' # Weekly

jobs:
  security:
    runs-on: ubuntu-latest

    steps:
      - uses: actions/checkout@v3

      - name: Setup Node.js
        uses: actions/setup-node@v3
        with:
          node-version: '18'

      - name: Install dependencies
        run: npm ci

      - name: Run npm audit
        run: npm audit --audit-level=high

      - name: Run Snyk test
        uses: snyk/actions/node@master
        env:
          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}

      - name: Upload Snyk results
        uses: github/codeql-action/upload-sarif@v2
        with:
          sarif_file: snyk.sarif

Fix 5: Evaluate Package Before Installing

Before adding new dependencies:

  1. Check package quality:

    • Weekly downloads
    • GitHub stars
    • Maintainer reputation
    • Last update date
    • Open issues

  2. Security considerations:

    # Check package on Snyk
snyk test package-name

# Check npm for security issues
npm view package-name

# Check bundlephobia for size
https://bundlephobia.com/package/package-name

  3. Consider alternatives:

    • Can you implement yourself?
    • Is there a better-maintained alternative?
    • Do you need entire library?

Fix 6: Use Subresource Integrity (SRI)

For CDN-loaded libraries:

<!-- Without SRI - vulnerable -->
<script src="https://cdn.example.com/library.js"></script>

<!-- With SRI - protected -->
<script
  src="https://cdn.example.com/library.js"
  integrity="sha384-oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/uxy9rx7HNQlGYl1kPzQho1wx4JwY8wC"
  crossorigin="anonymous"
></script>

Generate SRI hash:

# Using openssl
curl https://cdn.example.com/library.js | openssl dgst -sha384 -binary | openssl base64 -A

# Using SRI Hash Generator
https://www.srihash.org/

Fix 7: Minimize Dependencies

Reduce attack surface:

# Audit what you actually need
npm ls --depth=0

# Remove unused dependencies
npm uninstall package-name

# Use npm-check to find unused packages
npx npm-check

# Analyze bundle size
npx webpack-bundle-analyzer

Best practices:

  • Only install what you need
  • Prefer smaller, focused packages
  • Consider native alternatives
  • Tree-shake unused code
  • Remove dev dependencies from production

Platform-Specific Guides

Detailed implementation instructions for your specific platform:

Platform Troubleshooting Guide
Shopify Shopify Dependency Security Guide
WordPress WordPress Plugin Security Guide
Wix Wix Dependency Security Guide
Squarespace Squarespace Dependency Security Guide
Webflow Webflow Dependency Security Guide

Verification

After fixing dependency vulnerabilities:

  1. Run security audit:

    npm audit
snyk test
    • Should show 0 high/critical issues
    • Review moderate/low issues

  2. Check CI/CD:

    • Security scan passes
    • No failing checks
    • Automated scans running

  3. Verify functionality:

    • Test after updates
    • Check for breaking changes
    • Run full test suite

  4. Monitor ongoing:

    • Enable Dependabot
    • Set up Snyk monitoring
    • Regular audits scheduled

  5. Document:

    • Keep dependency list
    • Note security decisions
    • Track update schedule

Common Mistakes

  1. Ignoring audit warnings - "It works, don't touch it"
  2. Not updating regularly - Accumulating technical debt
  3. Installing too many packages - Unnecessary attack surface
  4. Not checking package quality - Installing malicious/abandoned packages
  5. Committing node_modules - Hard to audit
  6. Using --force blindly - Breaking changes without testing
  7. No automated scanning - Manual checks missed
  8. Trusting all packages - Not evaluating before install
  9. Ignoring transitive dependencies - Vulnerabilities in sub-dependencies
  10. No rollback plan - Updates break production

Security Checklist

  • npm audit shows 0 high/critical issues
  • Lock files committed to repo
  • Dependabot or Renovate enabled
  • CI/CD runs security scans
  • Regular dependency updates scheduled
  • SRI for CDN resources
  • Minimal dependencies installed
  • Package evaluation process in place
  • Security monitoring active
  • Incident response plan ready

Additional Resources

↑ Back to top
// SYS.FOOTER