It works both for client-side dependencies and NodeJs dependencies.
You can find the demo project used in this blog post here.
- OWASP Top 10: using vulnerable dependencies
- Using retirejs from the command line
- Possible next steps
In this post I’ll try to get a way of helping to prevent one of the risks described in the OWASP top 10: using components with known vulnerabilities. If you’re unfamiliar with the concept, you can take a look at my post about solving this issue for a .NET project.
The command-line version can be installed using npm.
npm install -g retire
You can call retire by executing
in the command-line.
You might prefer to keep it as a local dependency instead of a global one. You can do it like this:
npm install retire --save-dev
You can execute it like this:
You’ll notice that it seems bit inconvenient, so you can add a script to your package.json to make it easier to access.
Now you can run it by executing
npm run retire.
When we run it, we can see a list of vulnerabilities found in our project.
We can also redirect it to a file using the
You will probably get an output resembling this.
You could integrate running this process in your local development process, or integrate it in your build server. You could for example make your build fail based on the exit code retirejs returns. You could also include it in a Zed Attack Proxy scan (see my previous post about ZAP), there is a plugin enabling scanning of client-side dependencies for vulnerabilities, you can find out more about it here. At the moment of writing, the plugin is still in alpha stage though.