JavaScript client libraries, used on websites.

As you know there’s a number of JavaScript libraries used on the web in HTML pages: they are there to make your website more attractive, making it capable to interact with server-side APIs in a seamless way. But how many of them are vulnerable?

The most recent research paper on the subject, titled “Thou Shalt Not Depend on Me: Analysing the Use of Outdated JavaScript Libraries on the Web” (downloadable here) provides a very scary view on the current state of the website you frequently visit: more than a third of them  may include a JavaScript library that’s vulnerable to one or more security flaws. To be precise, 37% of the scanned websites use at least one vulnerable library, 10% use two or more vulnerable libraries, and many websites still use libraries no longer maintained.

If you are using libraries like JQuery, Handlebars, AngularJS and in general any popular client library, you can potentially be exposed to a vulnerability

JavaScript NodeJS libraries, used on servers.

The same issue is, of course, present on the server side, with a constantly increasing number of vulnerabilities detected in such packages.  NodeJS is an excellent engine to run JavaScript but your server-side application may end up using hundreds of libraries (remember, each dependency has its own dependencies, recursively) and in any of them you can find a vulnerability.

Meterian uses a variety of reliable sources in order to ensure your server does not end up embedding a vulnerable NodeJS library, and it aggregates the contents of several databases in order to be sure to have the maximum coverage. With an average of 10 new vulnerabilities published every month you certainly need to keep a close eye on your NodeJS projects

We are here to help.

Meterian will help you to detect the offending components that need to be upgraded, providing a clear feedback of what are the reasons why you need to do so. We strongly advise you to download our client and check your project, today! But remember, one single scan will not solve your problem: make sure you add it to your pipeline so that you can avoid the risk of shipping vulnerable software.