Keep your package.json free of unused packages
By removing unused packages from your package.json file, you can keep your project organized, faster to install, as well as make it easier to understand and manage the dependencies required for your project.
There are several tools and techniques you can use to check for unused packages in a Node.js project:
- npm-check (opens in a new tab): By running
npx npm-checkfrom the root directory of your project.
- depcheck (opens in a new tab): By running
npx depcheckfrom the root directory of your project.
- Manually: By running
npm ls --depth=0from the root directory of your project to obtain the list of dependencies installed, then manually validate the usage of each of these dependencies.
No matter what method you use, before removing a dependency, you should make sure that it is really not used in your project.
If you find a package that is not being used, you can remove it from your project by deleting the relevant line from your package.json file and running the dependencies install command of your package manager to remove the package from your node_modules directory and update your dependencies lock file.
Audit dependency before using it
It is important to audit dependencies before using them to ensure that they are secure, free of vulnerabilities and other risks, and appropriate for your project. By conducting an audit, you can identify any potential risks and take steps to mitigate them before using the dependency in your software.
Here are some steps you can follow to audit a dependency before using it in your software.
- Check its license: Review the license of the dependency to understand your rights and obligations when using the software. Check the terms of the license to ensure that you are complying with the legal requirements and obligations of the license.
- Check its statistics: Check the usage and adoption statistics of the dependency to see how popular it is and how widely it is used. This can help you gauge the reliability and stability of the dependency, as well as its support and community. The website npm trends (opens in a new tab) can help you with that.
- Check its maintenance: Check the maintenance status of the dependency to see if it is actively maintained and supported. Look for information about when the dependency was last updated and whether it has a dedicated maintainer or team. The command
npm view asynccan help you with that.
- Check for vulnerabilities: Check to see if the dependency has any known vulnerabilities. There are several public databases that track vulnerabilities in software, including the National Vulnerability Database (opens in a new tab) (NVD), the Common Vulnerabilities and Exposures (opens in a new tab) (CVE), and the Snyk (opens in a new tab) database. Search these databases to see if the dependency has any known vulnerabilities.
- Review the code: If possible, review the code of the dependency to understand how it works and to check for any potential issues. Look for any poorly written or insecure code, and consider whether the dependency is appropriate for your project.
- Test the dependency: Test the dependency to ensure that it works as expected and does not introduce any issues or vulnerabilities into your software. This can involve running tests, performance benchmarks, and other checks to verify the functionality and reliability of the dependency.
- Consider alternatives: If you have concerns about the dependency, consider whether there are any alternative dependencies that might be more suitable for your project. Look for dependencies with similar features that are well-maintained, stable, and secure.
Discuss with the team if a less well-known dependency is needed
Using a dependency that is less well-known or has a smaller user base can introduce additional risk to your project. By discussing the use of the dependency with your team, you can assess the potential risks and decide whether it is worth using. It's always a good idea to involve your team in decisions about dependencies and other technical choices in a project.
Maintain your dependencies updated
Maintaining your dependencies updated can help ensure that your project is using the most stable and secure versions of the libraries and frameworks it depends on, which can help improve the overall quality and reliability of your project. Additionally, updating dependencies can allow you to take advantage of new features and improvements made to these libraries and frameworks, which can make your project more efficient and effective.
There are a few ways to maintain your dependencies up to date on a Node.js project:
- Use the
npm updatecommand: This command will update all of your dependencies to the latest version, based on the version range specified in your package.json file. For example, if you have a dependency specified as
"dependency-name": "^1.0.0", the
npm updatecommand will update the dependency to the latest version of the 1.x.x series.
- Use the
npm outdatedcommand: This command will show you a list of your dependencies that are out of date. You can then use the
npm updatecommand to update specific dependencies. For example, to update the
dependency-namedependency, you would run
npm update dependency-name.
- Use a dependency security tool: There are a number of tools available that can scan your project's dependencies and identify known vulnerabilities and updates. Examples include Snyk (opens in a new tab), Dependabot (opens in a new tab), and Renovate (opens in a new tab). These tools usually have a command-line interface (CLI) that you can run as part of your build process or on demand to check for vulnerabilities and update dependencies.
Audit your dependencies frequently against known vulnerability
Auditing your dependencies frequently against known vulnerabilities is important because it can help you identify and address any potential security issues in your project in a timely manner. By regularly checking your dependencies for vulnerabilities, you can take steps to mitigate any risks and protect your project and its users from potential attacks or breaches.
Additionally, regularly auditing your dependencies can also help you maintain the trust of your users and stakeholders, as it demonstrates a commitment to the security and integrity of your project.
There are a few ways you can audit your dependencies against known vulnerabilities on a Node.js project:
- Use a dependency security tool: There are a number of tools available that can scan your project's dependencies and identify known vulnerabilities. Examples include Snyk (opens in a new tab), Dependabot (opens in a new tab), and Renovate (opens in a new tab). These tools usually have a command-line interface (CLI) that you can run as part of your build process or on demand to check for vulnerabilities and update vulnerable dependencies. Some of these tools also provide additional features, such as the ability to monitor for new vulnerabilities or to receive alerts when vulnerabilities are discovered.
- Manually check: You can also manually check using
npx better-npm-audit auditcommands.