GitHub Advisory Database now powers npm audit
Today, we’re adding a proxy on top of the GitHub Advisory Database that speaks the `npm audit` protocol. This means that every version of the npm CLI that supports security audits is now talking directly to the GitHub Advisory Database.
Supply chain security is one of the most important parts of software development today, and we want to make developing securely as easy as possible for developers. Today, we’re taking another step in bringing all this together for both npm and GitHub by announcing that the GitHub Advisory Database now powers npm audit
.
npm audit
is a command that you can run in your Node.js application to scan your project’s dependencies for known security vulnerabilities—you’ll be given a URL that you can visit to learn more, and information about what versions have fixed this vulnerability. In addition, the npm install command uses this information to give you a brief summary of problems.
Integrating npm’s security systems
The GitHub Advisory Database is a carefully curated set of more than 5,000 security vulnerabilities that powers important security tools like Dependabot. When npm joined GitHub, the npm advisory database became a part of our portfolio of security products, but (unfortunately) that meant that we had two databases of security advisories.
Last year, we added all the npm security advisories to the GitHub Advisory Database. By doing this, we made sure that you were seeing the same advisories for your project—whether you were scanning it with npm audit
or a tool like Dependabot. This was a great first step because developers didn’t have to look in two places to see security advisories for their dependencies, but for GitHub we still had differences between the schemas in each database. This made it harder to add new features, and also created extra work since our security engineers who curate these advisories needed to make sure that each advisory was accurate in each database.
GitHub Advisory Database + npm
Today, we’re adding a proxy on top of the GitHub Advisory Database that speaks the npm audit
protocol. This means that every version of the npm CLI that supports security audits is now talking directly to the GitHub Advisory Database.
In addition, we’re redirecting the advisories on npmjs.com to the GitHub Advisory Database. This means you can view advisories and also search and sort advisories in a more advanced way. Every developer gets the same, high-quality vulnerability information from the GitHub Advisory Database, and we’ll stay focused on keeping developing on npm and GitHub secure.
Learn more
Jump in and explore npm advisories today, or learn more about our other supply chain security features as follows:
npm audit
- The Advisory Database
- Security advisories
- Dependency graph
- Dependabot alerts
- Dependabot security updates
Tags:
Written by
Related posts
Announcing CodeQL Community Packs
We are excited to introduce the new CodeQL Community Packs, a comprehensive set of queries and models designed to enhance your code analysis capabilities. These packs are tailored to augment…
Uncovering GStreamer secrets
In this post, I’ll walk you through the vulnerabilities I uncovered in the GStreamer library and how I built a custom fuzzing generator to target MP4 files.
CodeQL zero to hero part 4: Gradio framework case study
Learn how I discovered 11 new vulnerabilities by writing CodeQL models for Gradio framework and how you can do it, too.