Category Archives: retire.js

Checking for known vulnerabilities in our node packages etc. with retire.js

I noticed, a while back, how github has some fabulous tooling which runs across our repos. on our maven and node packages (and probably more). I wanted to have something similar hooked into my CI/CD pipeline for my React and Node projects.

There’s several solutions, but the one I am talking about here is retire.js. There’s several ways to run retire.js, I’m going to concentrate on running it from the command line.

So first off you need to install retire.js, either globally or in my case I’m going to add to the dev packages

  • yarn add -D retire

You may also need to run the following if you get an error saying it’s missing

  • yarn add -D regexp-tree

Now we can simply run yarn retire from our project’s folder. Without any arguments this will run both JavaScript and NPM checks.

In my case I got three vulnerabilities listed for jquery, but as they’re primarily used as part of webpack dev server (in my case) I don’t really need/want them reported as they’re outside of my hands and hopefully webpack server will update them in forthcoming releases, so I want to ignore these for now. To ignore such reports create a file named .retireignore.json (other variants exists of this file), now add the following

[
  {
    "component": "jquery",
    "justification": "Used by webpack dev server"
  }
]

In this example I’ve ignored all issues around jquery, but that may be too course and mean we do not catch other possible issues around jquery usage, so we can instead add identifiers and list specific issues to ignore, for example

[
  {
    "component": "jquery",
    "identifiers": { "issue": "2432" },
    "justification": "CORS issue, we only worth within the intranet"
  }
]

Note: from what I could tell (although not 100% on this) you can only ignore single issues, even though the use of the plural “identifiers”. I would assume if you’re going to ignore multiple issues then it’s probable you would just ignore all issues for a specific version of a package.

We can ignore specific versions of packages using

[
  {
    "component": "jquery",
    "version": "3.3.1",
    "justification": "Used by webpack dev server"
  }
]