Thursday, March 23, 2023
HomeNodejsVulnerability Scanning & Third-Occasion Modules Certification in N|Stable

Vulnerability Scanning & Third-Occasion Modules Certification in N|Stable

NCM —NodeSource Licensed Modules— is the safe, dependable solution to benefit from the huge ecosystem of Node.js packages. Licensed modules are appropriate with Node LTS and monitored constantly to determine danger over time.

Certification ensures no safety vulnerabilities or unverified code in modules or dependencies and is straightforward to arrange and handle. No workflow modifications are required.

  • Benefit: Know all the potential vulnerabilities inside your utility.
  • Profit: Perceive safety dangers and easy methods to resolve them.

Why NCM it is a necessary instrument for a Node.js Developer?

In all probability as a developer you may have requested your self these questions🕵️‍, if not, it’s time to ask them out loud:

  • Are you utilizing the suitable npm packages?
  • Are you utilizing packages with recognized vulnerabilities?
  • Have they got cheap code high quality?
  • Do they embody licenses which can be appropriate with your small business?

Fixing these questions and zooming in to the particular NCM is Safety, Compliance, and curation instrument across the Third-Occasion Node.js & JavaScript package deal ecosystem.

It’s designed for use along with npm to offer a layer of safety towards recognized safety vulnerabilities and potential license compliance points and supply common high quality or danger evaluation data to enhance your skill to work with the Third-party ecosystem.

Img 1 – Introducing Nodesource Licensed Modules – NCM

NCM gives actionable insights and offered danger ranges; this helps to grasp the extent of danger and easy methods to mitigate it. The Static evaluation will present:

  • ✅ Safety
  • ✅ Compliance
  • ✅ Code high quality (checking packages)

Different merchandise in the marketplace do not do all three checks; one other differentiator is the offline mode; you’ll be able to scan your safety vulnerabilities with out being reside. This helps you perceive the extent of danger publicity and easy methods to mitigate it.

How does NCM in N|Stable work?

NCM gives you and your groups with actionable insights into the chance ranges current in your use of third-party packages; utilizing a sequence of assessments; we rating packages on npm to search for numerous weighted standards.

Img 2 – NodeSource Licensed Modules – NCM in N|Stable

NCM gives a 0-100 belief rating and assesses packages based mostly on Safety, compliance, package deal danger, and high quality attributes. Safety vulnerabilities have severity ranges. Every severity degree contributed to the respective danger degree:

Img 3 – NCM Rating Particulars

NOTE: In case your utility requires an uncertified package deal and there aren’t any licensed options, uncertified packages will be whitelisted in your registry, permitting set up.

Img 4 – NCM Managing Registry

The NCM command line instrument permits for whitelisting uncertified packages and extra. Administration of your registry, together with:

  • whitelist administration
  • rating reporting
  • visualization of package deal tree with scores

What does “Licensed” imply?

Img 5 – NCM NodeSource Licensed Modules

NodeSource evaluates publicly accessible packages based mostly on weighted standards to find out a “belief rating” for every package deal, monitoring for safety vulnerabilities on an ongoing foundation to determine rising dangers. With Licensed Modules, NodeSource gives a degree of belief in every of the modules used.

With NCM, you may have these capabilities:

  • Know that the Node.js packages powering your Companies are prime quality and protected to make use of.
  • All the packages on the npm registry have been scored, permitting you to seek for the licensed packages which can be proper on your utility.
  • When packages do not meet our certification standards, see the main points for the place it falls quick.
  • When utilizing your Licensed Modules registry, solely licensed packages shall be installable. When trying to put in an uncertified module, the npm consumer will report an error indicating that the requested package deal shouldn’t be licensed and won’t be put in.

Img 6 – Confidence – NodeSource Licensed Modules NCM

NCM provinces full customization in:

  • Service Tokens (you’ll be able to outline insurance policies inside accounts in N|Stable).
  • CI Processes

This prevents all prospects from deploying susceptible purposes; this checks the Safety earlier than going reside, then NCM checks our database for vulnerabilities.

We depend on validated suppliers:
Img 7 – Knowledge Suppliers – NodeSource Licensed Modules NCM

Stops any utility with NCM in Strict mode

The N|Stable strict mode permits customized configuration utilizing JSON-based configuration. The N|Stable strict mode can be utilized with the immediate nsolid-strict as an alternative of the well-known nsolid; the important thing distinction between strict and common mode is that the strict mode will cease any utility with encountered vulnerabilities recognized by the NCM.

Run the immediate nsolid-strict with an choice --config or -c to edit the JSON-based configuration file utilizing your system’s default textual content editor.

If you wish to know extra about how NCM Prevents npm Substitution Assaults or our integration straight with Github, we invite you to learn ‘Avoiding npm substitution assaults utilizing NCM‘.

Strive NCM – NodeSource Licensed Modules Now!


$ npm set up -g ncm-cli

Generates a project-wide report of listing danger and high quality of put in or specified packages. The highest 5 riskiest modules detected shall be displayed alongside a concise venture report.

Img 8 – Report – NodeSource Licensed Modules NCM

The listing to generate a report from could also be specified by way of ncm report <dir>. Defaults to utilizing the present working listing.

Img 9 – Full Report – NodeSource Licensed Modules NCM

A report with an inventory of all modules will be generated by passing --long , -l.
Img 10 – Filters – NodeSource Licensed Modules NCM

ncm particulars <module{@model}>

Returns an in depth report a couple of particular module model. Defaults to utilizing the most recent model as printed to npm if no model is supplied.
Img 11 – Particulars – NodeSource Licensed Modules NCM

ncm set up <module{@model}>

Runs and shows ncm particulars <module{@model}> with an interactive affirmation immediate.

If confirmed, makes an attempt to run npm set up <module{@model}> with any further choices supplied.

The config keys installBin and installCmd can regulate this to work with different package deal installers if obligatory. For extra data, see ncm config --help.

NCM whitelist

Img 12 – Whitelisting Packages – NodeSource Licensed Modules NCM

Show or modify your NodeSource group’s module whitelist.
ncm whitelist --list:

  • Returns an inventory containing every module in your NodeSource group’s whitelist.
  • Public modules are listed alongside their danger rating, license compliance, and safety abstract.

Img 13 – Whitelisting – NodeSource Licensed Modules NCM

ncm orgs

Change your energetic NodeSource group, which impacts the whitelist. Defaults to an interactive immediate. By passing an <orgname>, the interactive half could also be skipped. *Enter is case delicate.

ncm config

Entry to varied configuration settings. For extra data, use the assistance command: ncm config --help

Avoiding npm substitution assaults utilizing NCM

Run ncm set up as an alternative of npm set up to keep away from npm substitution assaults, which robotically stop public variations from changing or merging with personal packages.

NCM verifies all the packages outlined in package deal.json to scan besides scoped packages as a result of the scoped packages are essentially not susceptible to npm substitution assaults.

Demo Video — NCM in N|Stable


NOTE: For a greater expertise, you’ll be able to activate the closed captions within the video. They’re accessible in English.

The N|Stable Console will be configured to carry out periodic verification of all packages loaded by all N|Stable processes.

  • All loaded packages are verified towards an inventory of recognized vulnerabilities.
  • Details about every vulnerability shall be reported within the Console when new vulnerabilities are discovered. Notification choices will be configured.
  • Offers actionable insights into the chance ranges in your use of third-party packages.

Wish to strive N|Stable?

Do it proper now! 🏃🏿‍♂️🏃‍♀️, We launch in Openjs World 2022 some codes to redeem 50% in 8 or 12 processes in our SaaS model.


  • 8 processes OPENJS-8T
  • 12 processes OPENJS-12T

Or join our FREE choice for 4 processes and get began with N|Stable!

To take a look at the highest 10 options and extra in N|Stable, enroll to create your account or register on the high proper nook of our important web page. Extra data is out there right here.



Please enter your comment!
Please enter your name here

Most Popular

Recent Comments