Dependency Checker web tool - Find vulnerabilities, without setup

Cover image

The JavaScript ecosystem evolves at a pace like no other. New package versions are constantly made available for the over 1.5+ million publicly available npm packages.

As a consequence, projects that were state of the art when developed, quickly gets outdated. And there is no guarantee that something that was free from vulnerabilities, will be so now or a few days into the future.

The Bytesafe Dependency Checker tool scans your Javascript project within seconds. And the results are available to you directly in your web browser. Without any need for any prerequisite setup or config. Making sure your projects are not using outdated and vulnerable components.

All you need is a package-lock.json, yarn-lock or pnpm-lock.yaml lock-file for your project. Which one depends on the package manager you prefer. So grab one from your own environment or your friendly Git repository and upload it for a scan!

Dependency Checker is ideal for:

  • Quick and easy point-in-time scan of a project dependencies
  • Identify vulnerabilities in existing & deployed applications
  • Getting an instant update on the application security - without leaving the web browser
Keep track of the open source dependencies your applications are using. Outdated and vulnerable components remains a key category in the OWASP Top 10 for 2021.

Identify configuration errors

In addition to security vulnerabilities, Dependency Checker also identifies potential configuration errors, like multiple different registry URL:s present in lock-files. This usually signals a configuration error that could lead to inconsistent package installs.

Turn results into actionable items

Send the results directly to you, so you can share them or take action yourself.

example of dependency checker mail findings

Need additional levels of detail? Sign up for the full Bytesafe platform to enable full-fledged issue management and continuous monitoring of dependencies.

The lock-file identifies the dependencies for your application

Lock-files (like package-lock.json) are used to recreate a specific state of dependencies.

Unlike the package.json file that tells us the basic information for a package, lock files contain information on the specific dependency versions that were used at a previous state. So it can be used to reproduce a dependency tree in a new environment and it can also be used to tell us what versions were used to build an already deployed application.

Lock-files are automatically created when adding packages to projects, most commonly from npm install. They are also a prerequisite for using npm ci in automated environments.

# Lock-files provide version specific information for each dependency (direct and transitive)

...

"node_modules/anymatch": {

"version": "2.0.0",

"resolved": "http://workspace.bytesafe.dev/r/example/-/pull/anymatch/2.0.0",

"integrity": "sha512-*****",

"dependencies": {

"micromatch": "^3.1.4",

"normalize-path": "^2.1.1"

}

},

...

Commit lock-file for your projects. It’s recommended to commit the lock file when making changes to the dependency composition of a project.

Want to improve your dependency management with Bytesafe?

Point-in-time scans are great for creating awareness, but to take your security to the next level, enable continuous monitoring of your supply chain with Bytesafe. You will be automatically notified for any issues detected, now and in the future.

Ready to try Bytesafe? Sign up for a free trial.

Security is never easy. Let us guide you through the jungle!

We’ll keep you up to date on supply chain security and send you the latest information.