January 2023
3 minute read time

A study of missing npm vulnerability backports - another reason to apply major updates

By Martin Torp
Cofounder of Coana
PhD in Computer Science

<m>Ignoring npm audit warnings can be tempting, especially for frontend developers, but it's important to pay attention to them as [this great blog post](https://debricked.com/blog/frontend-security-vulnerabilities/) from Debricked argues. You might have tried to do an `npm audit --fix` to remove the warnings and then found that no fix were available for some of the vulnerabilities. There can be many reasons for this. Maybe you depend on package *A*, which in turn depends on a vulnerable version of package *B*. Even if a non-vulnerable version of *B* is available, it may be incompatible with *A* thus making it impossible for npm audit to fix the vulnerability. </m>

<m>Another reason why a fix is not possible is that package developers don't always backport security fixes. If a vulnerability affects all versions of a package *A* up to and including 3.0.0, but the fix is only available in version 3.0.1, projects using version 2.1.0 cannot get the fix without going through the hassle of upgrading to version 3.0.0 of *A*. At Coana, we recently conducted a small study to try to understand the extend of this problem.</m>

<m>We wrote a small scraper to go through the (as of this writing) 10672[^1] npm advisory reports in the [GitHub Advisory Database](https://github.com/advisories), where npm audit gets its vulnerability data.</m>
<m>We found that of the 1515 vulnerabilities that also affect old major versions (like the example with *A* above) only 546 of them had backports. In other words, for 64% of all vulnerabilities where backports would be relevant, package maintainers don't create them.</m>

<m>There may be several reasons why package maintainers **don't** create backports, including: </m>

<m>- It's too time-consuming.
- Most developers have already upgraded to the newest major.
- It encourages developers to upgrade to the newest major.</m>

<m>Whatever the reason, *missing backports* highlights why keeping dependencies up-to-date is important. Projects where developers neglect updates (especially major updates) of dependencies, may get to a state where it is very difficult and time-consuming to address vulnerability alarms.
My preferred way to mitigate this issue is to schedule a monthly, or maybe even yearly session, where I go through the dependencies of my projects (see [this blog post](https://www.coana.tech/post/hidden-gems-in-npm)) and try to bump as many dependencies to the latest major as possible. </m>

<m>[^1]: Includes both reviewed and unreviewed advisory reports.</m>

<m>Credits to [Autriche Kabwe Sango](https://www.linkedin.com/in/autriche-kabwe-sango-336923120/) for writing the audit analysis code.</m>

Questions or opinions?

Feel free to reach out to us by email or through our Slack Community anytime. We'd love to hear from you.

Subscribe to future posts via email?

(or grab the RSS feed)