If you’re using tools like Checkmarx or JFrog Xray to scan for security vulnerabilities in your third party dependencies in your NPM builds then you may have noticed that they can highlight a lot of security vulnerabilities that come from development only dependencies.
If you’re producing a shared NPM library or service there is no need for your development dependencies to be included in the final package and to acheive this you have to pass the –only=production flag.
This will save a lot of time as security scans will only consider production dependencies.
Example – Using JFrog Xray on Azure Pipelines
Here is the complete code snippet to install only development dependencies, pack and publish the artifact, collect the build-info (for Xray) and then perform a Xray scan of the build.
parameters:
- name: artifactoryServiceConnection
type: string
default: 'sample-pipeline-service'
- name: buildSourceRepo
type: string
default: 'npm-remote'
- name: artifactoryBuildname
type: string
default: 'focused-xray-test'
- name: buildVersion
type: string
default: '24'
steps:
- task: ArtifactoryNpm@2
inputs:
command: 'ci'
artifactoryService: ${{ parameters.artifactoryServiceConnection }}
sourceRepo: ${{ parameters.buildSourceRepo }}
collectBuildInfo: true
threads: 1
buildName: ${{ parameters.artifactoryBuildname }}
buildNumber: ${{ parameters.buildVersion }}
includeEnvVars: true
arguments: '--only=production'
- task: ArtifactoryNpm@2
inputs:
command: 'pack and publish'
artifactoryService: ${{ parameters.artifactoryServiceConnection }}
targetRepo: 'samplenpmlib-npm-library-build-local'
collectBuildInfo: true
buildName: ${{ parameters.artifactoryBuildname }}
buildNumber: ${{ parameters.buildVersion }}
includeEnvVars: true
- task: ArtifactoryPublishBuildInfo@1
displayName: 'Publishing buildInfo to Artifactory'
inputs:
artifactoryService: ${{ parameters.artifactoryServiceConnection }}
buildName: ${{ parameters.artifactoryBuildname }}
buildNumber: ${{ parameters.buildVersion }}
- task: ArtifactoryXrayScan@1
displayName: 'Scanning build with Jfrog XRay'
inputs:
allowFailBuild: true
artifactoryService: ${{ parameters.artifactoryServiceConnection }}
buildName: ${{ parameters.artifactoryBuildname }}
buildNumber: ${{ parameters.buildVersion }}
