Supply chain security is one of the most important parts of software development today, and we want to make developing securely as easy as possible for developers. Today, we’re taking another step in bringing all this together for both npm and GitHub by announcing that the GitHub Advisory Database now powers npm audit.
npm audit is a command that you can run in your Node.js application to scan your project’s dependencies for known security vulnerabilities—you’ll be given a URL that you can visit to learn more, and information about what versions have fixed this vulnerability. In addition, the npm install command uses this information to give you a brief summary of problems.
The GitHub Advisory Database is a carefully curated set of more than 5,000 security vulnerabilities that powers important security tools like Dependabot. When npm joined GitHub, the npm advisory database became a part of our portfolio of security products, but (unfortunately) that meant that we had two databases of security advisories.
Last year, we added all the npm security advisories to the GitHub Advisory Database. By doing this, we made sure that you were seeing the same advisories for your project—whether you were scanning it with npm audit or a tool like Dependabot. This was a great first step because developers didn’t have to look in two places to see security advisories for their dependencies, but for GitHub we still had differences between the schemas in each database. This made it harder to add new features, and also created extra work since our security engineers who curate these advisories needed to make sure that each advisory was accurate in each database.
Today, we’re adding a proxy on top of the GitHub Advisory Database that speaks the npm audit protocol. This means that every version of the npm CLI that supports security audits is now talking directly to the GitHub Advisory Database.
In addition, we’re redirecting the advisories on npmjs.com to the GitHub Advisory Database. This means you can view advisories and also search and sort advisories in a more advanced way. Every developer gets the same, high-quality vulnerability information from the GitHub Advisory Database, and we’ll stay focused on keeping developing on npm and GitHub secure.
Jump in and explore npm advisories today, or learn more about our other supply chain security features as follows:
Using CVE-2023-43641 as an example, I’ll explain how to develop an exploit for a memory corruption vulnerability on Linux. The exploit has to bypass several mitigations to achieve code execution.
Learn how researchers and security experts at GitHub, Microsoft, and Santander came together to address the challenges presented by the post-quantum cryptography world.
Explore the July edition, featuring prompts, tips, and use cases for GitHub Copilot.
Edward Thomson 
