DEV Community

Cover image for Block npm package threats using a dependency firewall
Daniel Parmenvik
Daniel Parmenvik

Posted on • Originally published at

Block npm package threats using a dependency firewall

If you've ever installed an npm package to JavaScript projects you doubtlessly have seen the status messages with a list of known vulnerabilities in the terminal output.

With npm, yarn or pnpm providing basic vulnerability information during package installation, it's hard to ignore how frequent vulnerabilities have become. That’s great service and security measure for the millions of daily users that rely on these tools for their projects.

added 57 packages and audited 3 packages in 107 s
2 critical severity vulnerabilities
Enter fullscreen mode Exit fullscreen mode

But what if you want to block threats before they even enter your supply chain? Maybe you prefer getting automatic notifications with critical issues instead of checking manually? Or, would like to avoid potential security risks that may be critical for certain environments?

And what happens when it's no longer a developer installing dependencies, but rather an automated environment? A key component of modern security tooling is to make sure threats are actively blocked, and you are notified of issues, even if no human is actively monitoring it.

Below I will introduce you to how to quarantine problematic packages using the dependency firewall in Bytesafe.

Whenever a critical vulnerability is detected you might want to take immediate actions so that your teams, environments and business are protected - so your software supply chain can remain secure. Go ahead to learn how to quarantine unwanted packages from entering your supply chain!

Quarantine in short

Quarantine allows you to automatically block the use of specific packages that surpass security threshold levels, for example npm packages with serious identified vulnerabilities. While simultaneously highlighting the issue for your teams to address instead of blocking (and hiding) them.

Quarantined deprecated packaget

This means that you’ll get a powerful tool to control allowed packages for all developers & systems while being very easy to use.

Why use automatic quarantine of problematic packages?

Secure usage of open source software is a necessity for modern organizations with cyber attacks becoming more and more of a common occurrence. And it's more than just an IT problem, with consequences that can potentially impact the whole organization.

At the same time every development team is required to balance productivity with security needs. So security solutions need to protect you while still allowing you to be productive.

Modern security problems require modern tooling. Efficient tooling that highlights potential issues while working within your regular workflow. Tooling like Bytesafe that continuously monitors your packages for issues and helps you stay secure.

Benefits of automatic quarantine of vulnerable packages

  1. Prevent malicious threats with a firewall for your supply chain. Quarantine packages according to your security thresholds. Automatically block the use of known vulnerable packages - while still securely holding the vulnerable version inside your Bytesafe workspace for you to address.

  2. Highlight security issues for remediation. Quarantine offers significant advantages to simply blocking packages outright. When a package is held securely within Bytesafe an issue will be created that notifies you of the problem. Allowing your team to easily and quickly remediate any issue and proceed with building awesome applications.

  3. Avoid getting overwhelmed with issues - configure your thresholds & rules. Reducing noise to a manageable level is critical for any team. Otherwise notifications of security issues will simply get ignored. With Bytesafe you can customize at what severity level you want packages to be quarantined. You can also decide to avoid quarantine for issues without patch versions solutions available - all to allow you to work efficiently with your supply chain security.

Areas in the development life cycle (test, builds, deploys etc) are increasingly being automated with minimum human interaction. Make sure to keep up and manage open source dependencies securely with the appropriate level of detection and protection from vulnerabilities.

Configurable security thresholds according to your business needs

The Vulnerability and License scanners allow you to define when you want to pull the handbrake and immediately throw a package in quarantine.

The vulnerable open source packages will be blocked from being used in your supply chain. This way you are effectively using Bytesafe as a firewall as a quarantined packaged cannot be used from the Bytesafe registry.

The plugin settings contain additional configuration for when you want a package to be quarantined. When the quarantine feature has been enabled, the default threshold is set to High. This means that packages with a severity level higher or equal to High will be placed in quarantine.

You can also configure to only quarantine packages if they have patch versions available, typically used when you want to be notified of problems but decide you want to continue your work without breaking any builds.

Quarantine settings

Visit Bytesafe documentation to learn more on how to configure quarantine for your needs.

Release a package from quarantine

In situations where you have evaluated the risks with a quarantined package and made an assessment to approve the use package you can easily release packages.

Releasing from the quarantine area means the package version will be flagged as safe to use. The package will be accessible from Bytesafe by all developers and environments.

Quarantined package

The activity log of any issues related to this package will also show that the package has been released from the quarantine.

Activity log of release from quarantine

Want to read more on how to control your software supply chain?

Stay up to date with other security related posts that might interest you:

How to use a secure by default solution for dependency confusion

How issue tracking across your registries helps you get an overview of what needs your attention

Follow Bytesafe on Twitter

Top comments (1)

sumstrm profile image
Andreas Sommarström

The flow with Issue detection -> Automatic quarantine (if needed) -> Issue tracking -> Notification is a real treat to work with.

Combine it with multiple registries (for each one of your applications) and you'll get a new level of insight into the packages you use.

I urge readers to give it a try.