
Ask HN: How do you keep track of node packages/ruby gems security issues? - meop
For some reason vulnerabilities in node packages and ruby gems are not commonly assigned CVE IDs (pip packagea, for example, get CVEs and it&#x27;s easy to follow).<p>How do you guys keep your packages secure? I am aware of the commercial services that solve this issue (snyk, nodesecurity) but I am looking for a free solution
======
itsmrwave
For gems I use `bundler-audit`, see: [https://github.com/rubysec/bundler-
audit](https://github.com/rubysec/bundler-audit)

It checks for vulnerable versions of gems in `Gemfile.lock`, checks for
insecure gem sources, allows ignoring certain advisories that have been
manually worked around, prints advisory information and does not require a
network connection.

~~~
bazzargh
One of my workmates open-sourced this:
[https://github.com/livingsocial/bundler-
patch](https://github.com/livingsocial/bundler-patch)

...which is mostly what we used internally for working with bundler-audit. We
ran this scan in CI, on deploy, and also on a cron for apps that might not
have deployed in a while. Internally this created PRs automatically, and PRs
triggered CI, so eg when a nokogiri CVE was announced (which affects a lot of
projects), all apps would have tested PRs ready to merge.

That piece wasn't open-sourced I think...it's fairly trivial but I'll see if I
can get it released. We also did scans on clojure projects, again I'm not sure
that's made it out into the world, I'll look into it.

~~~
bazzargh
The clojure piece - I'd just forgotten the name.
[https://github.com/livingsocial/lein-dependency-
check](https://github.com/livingsocial/lein-dependency-check)

------
nooyurrsdey
Not sure about node but for Rails, Hakiri has been pretty useful -

[https://hakiri.io/](https://hakiri.io/)

It's set up as a github webhook to run as part of your build, and it usually
flags vulnerabilities in recent gems or Rails versions.

------
notsrg
This cli is free and easy to add to a CI pipeline:
[https://github.com/nodesecurity/nsp](https://github.com/nodesecurity/nsp)

------
febeling
[https://www.versioneye.com](https://www.versioneye.com) is great, they
support many languages, and maintain a checksum database for libs

------
dankohn1
[https://gemnasium.com/](https://gemnasium.com/) emails you when a security
vulnerability arises. Otherwise, the badge on the readme changes yellow when
you're out of date and red when there's a vulnerability. Free for open source.

See [https://github.com/coreinfrastructure/best-practices-
badge#c...](https://github.com/coreinfrastructure/best-practices-badge#core-
infrastructure-initiative-best-practices-badge) for an example.

------
vinniecenter
[https://snyk.io/](https://snyk.io/)

~~~
joatmon-snoo
OP specifically mentions this as something he already knows about. Not a very
useful suggestion.

~~~
zbjornson
OP ruled it out because it's not free, but private projects are free for low-
volume testing.

------
alvesjtiago
Hi, I've recently started a new project called Octotrack
([http://octotrack.tiagoalves.me](http://octotrack.tiagoalves.me)) with two
main goals:

1) Manage dependencies (right now only gems) showing security issues (CVEs),
gem version comparisons, release notes, etc; 2) Daily newsletter to find the
best repositories on Github (starred repos from the people you follow, daily
trending repos and new releases of repos you've starred);

It is still a very early project so it would be great to get your feedback.

Thank you

------
dannysu
For node, isn't nsp already free to use?

[https://github.com/nodesecurity/nsp](https://github.com/nodesecurity/nsp)

------
cmalpeli
Sqreen.io does this for ruby gems as part of its offering.

------
yomly
Does anyone have a solution to this for Clojure/Lein?

~~~
__s
[https://news.ycombinator.com/item?id=15110665](https://news.ycombinator.com/item?id=15110665)

------
gwright
For ruby gems: [https://www.deppbot.com](https://www.deppbot.com)

Deppbot periodically runs bundle update and creates a pull request for you to
review. They also track security releases and generate a pull request.

The description in the PR links to the gem changelogs, which makes it easy to
investigate and evaluate pending changes.

I would love to see a node version of this service.

------
AdamGibbins
[https://libraries.io/](https://libraries.io/)

~~~
meop
This is nice for keeping track of versions but it does not address the problem
of security issues

------
justinclift
Hmmm, anything equivalent for Go?

Vendoring in Go is nice and all, but it doesn't really touch on alerting for
when vendored (etc) packages announce security problems needing an upgrade.

To me, this seems like an actual problem the Go ecosystem could benefit from
addressing well. :)

------
voiper1
for Node.js:
[https://retirejs.github.io/retire.js/](https://retirejs.github.io/retire.js/)
which has many ways to use it: gulp, [https://www.npmjs.com/package/vile-
retire](https://www.npmjs.com/package/vile-retire)

