Includes front-end JavaScript libraries with known security vulnerabilities 12 vulnerabilities detected

I have recently audit my website and 12 vulnerabilities were detected, many of which are related to front-end JavaScript libraries with known security vulnerabilities. As we work to address these vulnerabilities, we would like to seek input from the community on the following question:

What steps can I take to mitigate the risks associated with front-end JavaScript libraries with known security vulnerabilities on our PHP website? Are there any best practices or tools that can help us detect and prevent such vulnerabilities in the future? We welcome any insights or recommendations from developers who have experience with securing PHP websites that utilize front-end JavaScript libraries.

There are going to be vulnerabilities, it is a part of life. But if you follow a few general tips, you can mitigate the problems and keep things secure.

  1. Reduce the number of front-end libraries you use. Obviously the less you use, the less can be vulnerable.

  2. Reduce your code foot print with smaller libraries and only what you absolutely need. Do you have a library that just sorts a list? Could you sort it with some other library you also have installed? Do you really need the sort? Less code is less code that can be exploited. Can you reduce their dependencies? Can one library that uses 100 dependencies be replaced with another that does the same thing with only 10?

  3. Go with active libraries that are being constantly reviewed and worked on. Then stay up to date with them with a regular update cycle.

Apply these three tips and you have less code to exploit, have a community helping you reduce discovered exploits and a regular cycle of making sure to patch what you have.

But like I said, vulnerabilities are a way of life for software development. Front-end JS libraries are notorious for these as well. All you can do is reduce the attack vector and stay patched up. :slight_smile:


Also, remember that not all vulnerabilities are created equal. There was a thread a while ago where the OP was worried by a vulnerability in a library he was using, but ultimately this turned out to be a non-issue because of how and where he was using it. See here for details:

I tend to worry less about vulnerabilities in front-end code than back-end code, as the potential for damage is usually not as great.

Could you maybe post the results of the audit. I’d be interested to have a look. I guess you did this with npm or yarn, right?


Thanks for your reply. How can I know the active libraries. Actually i am not as expert in coding. Kindly can you review the and check the vulnerabilities that should cause the error in front end.

Use as less libraries as possible. If you write all your code by yourself (and you are a good programmer) you have no problems

Nah. That’s like saying I never write any code with bugs. Personally speaking, my code is full of them. I take your point that there is no need to install libraries for every small piece of functionality you require, but a lot of the more popular packages out there are battle tested, cover many edge cases which most devs wouldn’t consider and do receive security updates.

Well you posted about 12 vulnerabilities being detected. Where did you get that information?

That’s not really how it works. Normally, you would have a node_modules folder and a package.json file for a JavaScript-based application. You can run either node audit or yarn audit against the package-lock.json file and that will give you a report of what is vulnerable.

OP has already said he’s not good at coding.

That’s what I want to say in a little bit sharp way. I hate the new mentality of programming which is more or less a click and run of existing code. Vulnerabilities can only occur on two stages of your software:

  1. save data (file, database etc)
  2. accessing the network

So in a perfect world,], I am the master of this two points and control every single byte which is used there. As I can’t do this in a real world, I should use as less libraries which are using this functions. But many libraries need to connect to the network even for totally silly things.

1 Like

This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.