In previous posts I have talked about the importance of keeping software projects up to date. In my opinion this is probably the task with the highest return on investment you can perform, meaning that it will the largest amount of security vulnerabilities for the least amount of effort. The reason being is that you are just taking advantage of the work that your dependencies authors in fixing vulnerabilities in the libraries that they maintain, this is very little work for you, but could have a dramatic impact on the security of the software you are writing. In this post I am going to take you through some concrete steps you can take to keep you JavaScript project up to date with npm.

NPM (node package manager) is two things, it is a repository of JavaScript packages. Chances are, if you downloaded a JavaScript library, it was stored in NPM. NPM is also a client that downloads and installs that packages, which also has a bunch of useful features for keeping you project up to date as well. The difference being that there a multiple choices of clients you can use to pull packages from the npm repository, with yarn another popular alternative. The features I am going to describe are in the NPM client, at time of writing I am using version 6.4.1, so if you are using that version or later you should be able to use these too.

The first step I take in my regular maintenance is running npm audit which will check to see if any of the versions of the dependencies you are using contain known security vulnerabilities. If it doesn’t find anything you can move onto the next step. If it finds anything it will give you advice on what actions to take for each dependency, it will also suggest you run npm fix which will attempt to update all the vulnerable dependencies to the latest version. Run npm fix and then test your software, if you have automated tests you be thanking yourself now. If everything still works as expected you are can move onto the next step. If something is broken you are probably better off rolling back to your previous version and upgrading each dependency independently, finding which update was causing the problem. You can then follow the upgrade steps for this dependency (usually easier said than done). You are now done with the mandatory part of the process.

The next step is to get all the other dependencies of you project up to date, so you hopefully won’t run into any of the upgrade problems you ran into when running npm audit next time. The next helpful NPM feature is npm outdated this will list all the dependencies that you have that are out of date and the latest version of that dependency which is available. It is good practice to go through every dependency on this list and see what has changed, and if your code will still be compatible. When you are comfortable with the changes that will be made you can run npm update. This will update all the dependencies identified by outdated to the latest version. When it is done test your code again, hopefully everything still works. If something is broken it is probably rolling everything back and updating on dependency at a time like in the audit upgrade step. Remember it is really worth putting in the effort to get all your dependencies up to date now, as it is only going to get harder.

That is all, you now have an up to date JavaScript project with no known vulnerabilities in your dependencies, give yourself a pat on the back. If you perform this process regularly there is a smaller chance of problems with future upgrades. With this small amount of effort you have just killed off a whole class of bugs and security vulnerabilities.