TransWikia.com

Does `npm audit` add any value when using `dependabot`

DevOps Asked on August 22, 2021

Context

There are multiple ways to scan projects for vulnerabilities.

Dependabot can be configured to check repositories for issues, and automatically submits pull requests to resolve.

NPM Audit will scan the packages used in an NPM solution for known vulnerabilities.

We’re trying to work out whether, if Dependabot is enabled, there’s any added value to using NPM Audit in our pipelines. I’m asking this solely from the perspective of what’s detected; not how the tools work (i.e. whether they can cause a pipeline to block/fail).

The actual question

Do both tools base their decisions on some common known-issue database, or is it common to see each tool detect different sets of problems?

One Answer

Dependabot and npm audit both poll the Node Security Working Group database for Node-based projects. However, Dependabot has the added ability to check dependencies in numerous other types of projects as well.

Also, each report Dependabot generates includes useful info and links directly to a GitHub Advisory Database listing (e.g., CVE-2017-16021) that itself has multiple links to other listings such as NIST. On the other hand, npm audit's reporting is limited to a single link to an npm advisory listing with far less info (e.g., #100).

Overall, Dependabot covers all the bases — and more — that npm audit does. No need to use both unless you need a customized audit flow in your package scripts.

Correct answer by Adam on August 22, 2021

Add your own answers!

Ask a Question

Get help from others!

© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP