Site: US UK AU |
Nexcess Blog

GitHub Introduces Security Alerts For JavaScript Projects

November 22, 2017 0 Comments RSS Feed

GitHub Introduces Security Alerts For JavaScript Projects

Photo by Brandon Green on Unsplash

GitHub’s has introduced Security Alerts for JavaScript and Ruby-based projects, with more languages coming soon. The alerts use GitHub’s dependency graph feature, which was introduced last month to provide a visual display of the dependency hierarchy of compatible projects.

JavaScript projects in particular tend to have lots of dependencies, and, until now, there has been no easy way to check for security vulnerabilities in individual dependencies — projects have to trust the software they depend on. As JavaScript becomes increasingly important to the WordPress ecosystem, a tool like this will make it easier to build safe integrations.

Open source projects build on the capabilities of other open source projects. WordPress, for example, depends on Linux, Apache, MySQL, and PHP, among many others — all open source projects that WordPress uses to provide functionality that would otherwise have to be re-created from scratch. The web wouldn’t be what it is today without the ability to reuse code in this way.

However, security vulnerabilities in software can put every user of that software at risk, including other projects that depend on it. The JavaScript ecosystem is massive, with tens of thousands of small modules, each of which might depend on other modules, which depend on other modules, and so on down the line.

As any JavaScript developer knows, even a simple project with a couple of dependencies installed with NPM (the Node Package Manager) can pull in hundreds of dependencies. How does a developer know there isn’t a security issue with one of those packages?

The truth is that they don’t know. They trust the system to find and fix vulnerabilities. Outside of strict government and corporate software projects, no one has the time or the money to check the security status of every library used by their software.

GitHub’s Security Alerts are an attempt to address this problem automatically. GitHub knows about the dependency graph (the tree of packages a project depends on) and can cross reference that information with vulnerability databases. GitHub’s Security Alerts use the National Vulnerability Database of the National Institute of Standards and Technology.

The feature is turned on by default for public repositories, and will email project administrators when a vulnerability is discovered. It can be turned on by administrators of private repositories if they so desire.

There are already projects that promise to do something similar to GitHub’s Security Alert for JavaScript, including the proprietary Snyk and the open source Audit.js project. But GitHub’s scale — many popular open source projects are hosted on GitHub — gives it an advantage. And although we’ve focused on JavaScript in this article because of the WordPress connection, GitHub is in a good position to roll out the same tool for many different languages, including, eventually PHP.

Posted in: Security