The JavaScript ecosystem evolves at a pace like no other. New package versions are constantly made available for the over 1.5+ million publicly available npm packages.
As a consequence, projects that were state of the art when developed, quickly gets outdated. And there is no guarantee that something that was free from vulnerabilities, will be so now or a few days into the future.
The Bytesafe Dependency Checker tool scans your Javascript project within seconds. And the results are available to you directly in your web browser. Without any need for any prerequisite setup or config. Making sure your projects are not using outdated and vulnerable components.
All you need is a package-lock.json
, yarn-lock
or pnpm-lock.yaml
lock-file for your project. Which one depends on the package manager you prefer. So grab one from your own environment or your friendly Git repository and upload it for a scan!
Dependency Checker is ideal for:
- Quick and easy point-in-time scan of a project dependencies
- Identify vulnerabilities in existing & deployed applications
- Getting an instant update on the application security - without leaving the web browser
Identify configuration errors
In addition to security vulnerabilities, Dependency Checker also identifies potential configuration errors, like multiple different registry URL:s present in lock-files. This usually signals a configuration error that could lead to inconsistent package installs.
Turn results into actionable items
Send the results directly to you, so you can share them or take action yourself.
Need additional levels of detail? Sign up for the full Bytesafe platform to enable full-fledged issue management and continuous monitoring of dependencies.
The lock-file identifies the dependencies for your application
Lock-files (like package-lock.json
) are used to recreate a specific state of dependencies.
Unlike the package.json
file that tells us the basic information for a package, lock files contain information on the specific dependency versions that were used at a previous state. So it can be used to reproduce a dependency tree in a new environment and it can also be used to tell us what versions were used to build an already deployed application.
Lock-files are automatically created when adding packages to projects, most commonly from npm install
. They are also a prerequisite for using npm ci
in automated environments.
# Lock-files provide version specific information for each dependency (direct and transitive)
...
"node_modules/anymatch": {
"version": "2.0.0",
"resolved": "http://workspace.bytesafe.dev/r/example/-/pull/anymatch/2.0.0",
"integrity": "sha512-*****",
"dependencies": {
"micromatch": "^3.1.4",
"normalize-path": "^2.1.1"
}
},
...
Want to improve your dependency management with Bytesafe?
Point-in-time scans are great for creating awareness, but to take your security to the next level, enable continuous monitoring of your supply chain with Bytesafe. You will be automatically notified for any issues detected, now and in the future.
Ready to try Bytesafe? Sign up for a free trial.