{% extends 'core/Vulnerable and Outdated Components/VulnerableOutdated.html' %} {% load static %}
Now that we know how to find our dependencies, finding vulnerabilities in them shouldn't be an issue. First,
you should remove all the dependencies, components, and unnecessary files you are not using. Once you have done that, let's
look at what we have left. For help, we can use tools like NIST,
MITRE, or for NPM packages
snyk and snyk Vulnerability DB, to search for
vulnerabilities in our libraries. As for the version of your dependencies, you can either check them manually or use
tools for dependency checking like check-outdated or
OWASP Dependency-Check.
You can use tools that will do the updating for you, like
adamchainz/django-upgrade
.
Overall, you should be very careful with your dependencies to not open unwanted back doors for pesky attackers.
Now let's use one of the tools as an example with this project. We will use the check-outdated library.
npx check-outdated --ignore-pre-releases --ignore-dev-dependencies --ignore-packages package1,package2
--columns name,type,current,latest,changes
With results being:
The project has one outdated dependency. Let's check if we can use the older version or if we have to update it immediately. For this package, we can use snyk and snyk Vulnerability DB. First, we can check if the package is still receiving support or is generally active and used. And then if the version we are using has any potential risks.
As we can see, the Flowbite package is rising in popularity and still receiving support. Now let's check, most importantly, if it has any vulnerabilities.
Those are some great news! Our package is not only popular but also safe. If updating packages is difficult
for your project, dependencies like these are not a big issue. However, when there is an opportunity to
update them, do so immediately.
Always be careful with your packages and update them regularly.