Written by Pete Corey on Jun 20, 2016.

Meteor’s recent transition to using NPM modules has opened up a world of possibilities for Meteor developers. Unfortunately, with great power comes great responsibility.

Along with a host of new functionality, NPM packages also come with a world of vulnerabilities and security concerns. In fact, over 14% of all NPM modules have known vulnerabilities.

Node Security Project

Thankfully, there are teams and tools dedicated to tackling the problem of documenting and cataloging known Node.js module vulnerabilities. A very popular option for scanning and monitoring your NPM dependencies for known vulnerabilities is the Node Security Platform.

In its most basic form, NSP offers a command line tool that scans your package.json or your npm-shrinkwrap.json for know vulnerabilities.

Because all of your NPM dependencies are saved in the package.json file in your project root, using the nsp tool to scan your Meteor project for vulnerabilities is a simple process:


> cd $YOUR_METEOR_PROJECT
> nsp check
(+) No known vulnerabilities found

If NSP finds and vulnerable dependencies, you’ll be given more information and hopefully an upgrade patch that will fix the issue.

Snyk

Snyk is another tool designed to find vulnerable NPM dependencies within your Node.js project. The Snyk command line tool can be used just like the NSP command line tool:


> cd $YOUR_METEOR_PROJECT
> snyk test
✓ Tested ... for known vulnerabilities, no vulnerabilities found.

Snyk even lets you test GitHub repositories or individual NPM modules using their web tool.

I’m a big fan of Snyk. Their VulnDB is built on top of Node Security Project’s advisories database and is taking strides to improve and build upon that great foundation. At the time of writing this article, Snyk has documented 105 Node.js vulnerabilities in their vulnerability database.

The Snyk team also regularly posts insightful blog posts about a variety of security topics.

Meteor Package Dependencies

While NSP and Snyk are great options for testing your base project’s NPM dependencies for known vulnerabilities, there are other avenues for vulnerable Node packages to find their way into your Meteor project.

Pre-1.3 Meteor projects relied on using Meteor packages to pull in NPM dependencies or using the meteorhacks:npm package to simulate direct dependencies within the base project. Both of these techniques obfuscate the actual NPM dependencies being used and make it difficult to scan them using traditional techniques.

Check out my post on Scanning Meteor Projects for Node Vulnerabilities for information on writing a bash script to dive into a Meteor project’s build bundle to call nsp check or snyk test on a project’s entire dependency tree.

Final Thoughts

Both the Node Security Platform and Snyk offer fantastic tools for scanning your Node.js and Meteor projects for known vulnerabilities. I recommend you pick one of these two tools and incorporate this type of vulnerability scanning into your development, deployment, and continuous integration workflow.

Using Snyk or NSP with a Meteor-specific vulnerability scanning tool such as Package Scan will help give you some peace of mind as you move forward developing fantastic Meteor applications.