GitHub Advisory Database now powers npm audit
Today, we’re adding a proxy on top of the GitHub Advisory Database that speaks the `npm audit` protocol. This means that every version of the npm CLI that supports security audits is now talking directly to the GitHub Advisory Database.
Supply chain security is one of the most important parts of software development today, and we want to make developing securely as easy as possible for developers. Today, we’re taking another step in bringing all this together for both npm and GitHub by announcing that the GitHub Advisory Database now powers npm audit.
npm audit is a command that you can run in your Node.js application to scan your project’s dependencies for known security vulnerabilities—you’ll be given a URL that you can visit to learn more, and information about what versions have fixed this vulnerability. In addition, the npm install command uses this information to give you a brief summary of problems.
Integrating npm’s security systems
The GitHub Advisory Database is a carefully curated set of more than 5,000 security vulnerabilities that powers important security tools like Dependabot. When npm joined GitHub, the npm advisory database became a part of our portfolio of security products, but (unfortunately) that meant that we had two databases of security advisories.
Last year, we added all the npm security advisories to the GitHub Advisory Database. By doing this, we made sure that you were seeing the same advisories for your project—whether you were scanning it with npm audit or a tool like Dependabot. This was a great first step because developers didn’t have to look in two places to see security advisories for their dependencies, but for GitHub we still had differences between the schemas in each database. This made it harder to add new features, and also created extra work since our security engineers who curate these advisories needed to make sure that each advisory was accurate in each database.
GitHub Advisory Database + npm
Today, we’re adding a proxy on top of the GitHub Advisory Database that speaks the npm audit protocol. This means that every version of the npm CLI that supports security audits is now talking directly to the GitHub Advisory Database.
In addition, we’re redirecting the advisories on npmjs.com to the GitHub Advisory Database. This means you can view advisories and also search and sort advisories in a more advanced way. Every developer gets the same, high-quality vulnerability information from the GitHub Advisory Database, and we’ll stay focused on keeping developing on npm and GitHub secure.
Learn more
Jump in and explore npm advisories today, or learn more about our other supply chain security features as follows:
npm audit- The Advisory Database
- Security advisories
- Dependency graph
- Dependabot alerts
- Dependabot security updates
Tags:
Written by
Related posts
Attacking browser extensions
Learn about browser extension security and secure your extensions with the help of CodeQL.
Cybersecurity spotlight on bug bounty researcher @adrianoapj
As we wrap up Cybersecurity Awareness Month, the GitHub Bug Bounty team is excited to feature another spotlight on a talented security researcher who participates in the GitHub Security Bug Bounty Program—@adrianoapj!
Securing the open source supply chain: The essential role of CVEs
Vulnerability data has grown in volume and complexity over the past decade, but open source and programs like the Github Security Lab have helped supply chain security keep pace.