https://github.blog/2021-10-07-github-advisory-database-now-powers-npm-audit/

Back to GitHub.com

The GitHub Blog

  * Blog Categories
      + Community
      + Company
      + Education
      + Engineering
      + Enterprise
      + Open Source
      + Policy
      + Product
      + Security
  * Changelog

Search by Keyword
[                    ]
Search
Primary Menu

  * Blog Categories
      + Community
      + Company
      + Education
      + Engineering
      + Enterprise
      + Open Source
      + Policy
      + Product
      + Security
  * Changelog

Search by Keyword
[                    ]
Search
[npm-github]

October 7, 2021

Product
Security

GitHub Advisory Database now powers npm audit

 
Image of Edward Thomson

Edward Thomson

Supply chain security is one of the most important parts of software
development today, and we want to make developing securely as easy as
possible for developers. Today, we're taking another step in bringing
all this together for both npm and GitHub by announcing that the
GitHub Advisory Database now powers npm audit.

npm audit is a command that you can run in your Node.js application
to scan your project's dependencies for known security
vulnerabilities--you'll be given a URL that you can visit to learn
more, and information about what versions have fixed this
vulnerability. In addition, the npm install command uses this
information to give you a brief summary of problems.

Screenshot of `npm install` command providing a problem summary

Integrating npm's security systems 

The GitHub Advisory Database is a carefully curated set of more than
5,000 security vulnerabilities that powers important security tools
like Dependabot. When npm joined GitHub, the npm advisory database
became a part of our portfolio of security products, but
(unfortunately) that meant that we had two databases of security
advisories.

Last year, we added all the npm security advisories to the GitHub
Advisory Database. By doing this, we made sure that you were seeing
the same advisories for your project--whether you were scanning it
with npm audit or a tool like Dependabot. This was a great first step
because developers didn't have to look in two places to see security
advisories for their dependencies, but for GitHub we still had
differences between the schemas in each database. This made it harder
to add new features, and also created extra work since our security
engineers who curate these advisories needed to make sure that each
advisory was accurate in each database.

GitHub Advisory Database + npm 

Today, we're adding a proxy on top of the GitHub Advisory Database
that speaks the npm audit protocol. This means that every version of
the npm CLI that supports security audits is now talking directly to
the GitHub Advisory Database.

Screenshot of security audit results

In addition, we're redirecting the advisories on npmjs.com to the
GitHub Advisory Database. This means you can view advisories and also
search and sort advisories in a more advanced way. Every developer
gets the same, high-quality vulnerability information from the GitHub
Advisory Database, and we'll stay focused on keeping developing on
npm and GitHub secure.

Learn more 

Jump in and explore npm advisories today, or learn more about our
other supply chain security features as follows:

  * npm audit
  * The Advisory Database
  * Security advisories
  * Dependency graph
  * Dependabot alerts
  * Dependabot security updates

Tags: npm supply chain security

Share

  * Twitter Share on Twitter
  * Facebook Share on Facebook
  * LinkedIn Share on LinkedIn

Related posts

October 4, 2021

Product

A new public beta of GitHub Releases: How we're improving the release
experience

GitHub Releases has a new look and updated tools to make it easier
for open source communities to create and share high-quality releases
with auto-generated release notes.

 
Image of Myles Borins

Myles Borins

October 1, 2021

Security

Cybersecurity spotlight on bug bounty researchers @chen-robert and
@ginkoid

GitHub's bug bounty team is excited to kick off Cybersecurity
Awareness Month with a spotlight on two security researchers who
participate in the GitHub Security Bug Bounty Program.

 
Image of Jill Mone-Corallo

Jill Mone-Corallo

September 30, 2021

Enterprise

Enterprise managed users are now generally available for GitHub
Enterprise Cloud

Manage your company in the cloud with more control and governance
using enterprise managed users.

 
Image of Jarryd McCree

Jarryd McCree

 

Product

  * Features
  * Security
  * Enterprise
  * Customer Stories
  * Pricing
  * Resources

Platform

  * Developer API
  * Partners
  * Atom
  * Electron
  * GitHub Desktop

Support

  * Docs
  * Community Forum
  * Training
  * Status
  * Contact

Company

  * About
  * Blog
  * Careers
  * Press
  * Shop

  * Github Twitter link
  * Github Facebook link
  * Github Youtube link
  * Github LinkedIn link
  * Github link

  * (c) 2021 GitHub, Inc.
  * Terms
  * Privacy