patternjavascriptMinor
Does `npm audit` add any value when using `dependabot`
Viewed 0 times
auditanynpmvaluedependabotusingdoeswhenadd
Problem
Context
There are multiple ways to scan projects for vulnerabilities.
Dependabot can be configured to check repositories for issues, and automatically submits pull requests to resolve.
NPM Audit will scan the packages used in an NPM solution for known vulnerabilities.
We're trying to work out whether, if Dependabot is enabled, there's any added value to using
The actual question
Do both tools base their decisions on some common known-issue database, or is it common to see each tool detect different sets of problems?
There are multiple ways to scan projects for vulnerabilities.
Dependabot can be configured to check repositories for issues, and automatically submits pull requests to resolve.
NPM Audit will scan the packages used in an NPM solution for known vulnerabilities.
We're trying to work out whether, if Dependabot is enabled, there's any added value to using
NPM Audit in our pipelines. I'm asking this solely from the perspective of what's detected; not how the tools work (i.e. whether they can cause a pipeline to block/fail).The actual question
Do both tools base their decisions on some common known-issue database, or is it common to see each tool detect different sets of problems?
Solution
Dependabot and
Also, each report Dependabot generates includes useful info and links directly to a GitHub Advisory Database listing (e.g., CVE-2017-16021) that itself has multiple links to other listings such as NIST. On the other hand,
Overall, Dependabot covers all the bases — and more — that
Update
As of 7 October 2021, both methods provide info from the GitHub Advisory Database. From the links above, you can see that former npmjs.org listings now redirect to GitHub. The other points I made still stand after this change.
npm audit both poll the Node Security Working Group database for Node-based projects. However, Dependabot has the added ability to check dependencies in numerous other types of projects as well.Also, each report Dependabot generates includes useful info and links directly to a GitHub Advisory Database listing (e.g., CVE-2017-16021) that itself has multiple links to other listings such as NIST. On the other hand,
npm audit's reporting is limited to a single link to an npm advisory listing with far less info (e.g., #100).Overall, Dependabot covers all the bases — and more — that
npm audit does. No need to use both unless you need a customized audit flow in your package scripts.Update
As of 7 October 2021, both methods provide info from the GitHub Advisory Database. From the links above, you can see that former npmjs.org listings now redirect to GitHub. The other points I made still stand after this change.
Context
StackExchange DevOps Q#12017, answer score: 8
Revisions (0)
No revisions yet.