This will be the last post in this group of posts vulnerabilities in dependencies. In this post I want to talk about an external tool, snyk, that I use to check for vulnerabilities in projects I maintain. I will cover how I use the tool and why I find it valuable in keeping my application secure.

Snyk is a great tool/service for checking you JavaScript projects for security vulnerabilities in their dependencies. You can get snyk to watch a repo, and notify you if any of the versions of the dependencies you are using in you project have known vulnerabilities. The email will link you to a report which will tell you which dependencies have the issue, and what remediations are available. You can even get snyk to create a pull request with the recommended remediations for that vulnerability.

I prefer to use the snyk cli to check my projects. The snyk cli is an node package which you can install globally with npm npm i -g snyk. You need to log into you snyk account using snyk auth and from there you can use snyk test to see if any of your projects dependencies have a known vulnerability in their vulnerability database. If a vulnerability is found you can use snyk wizard to help you remediate anything that if finds. You can also use snyk monitor to set up the project to be monitored. Anything more detailed can be configured in their web application.

I find snyk valuable because it can cut through the noise of keeping your application up to date by allowing you to prioritise updating the most pressing vulnerabilities in you dependencies. I find the monitoring very helpful, as it will warn me as soon as it finds a vulnerabile dependency, I don’t have to be actively looking. I also appreciate the free plan that allows me a generous number of free scans, which is great for hobby projects. Too often tools that help us keep our code secure are priced at a level where only enterprises afford them.

To conclude, I would recommend checking out snyk by running it on a project you maintain. Enjoy the piece of mind that some else is watching your dependencies. As the entry level plan free you try it out without commitment, and if you like it you can experiment with some of their other features. This product will not solve all your application security problems, but in my experience it will help you with the problem of keeping vulnerable external code out of your project.