Training »

Open Source Dependency Governance

Content length: approx. 4 - 6 hours (customizable)

Node.js-based projects, including projects using Angular (and most other web frameworks) rely on an ecosystem of open-source packages via the npm package manager's public repository. While that public repository contains an abundance of useful, freely-available packages, its use in enterprise-scale applications comes with potential security and licensing risks to understand and manage.

In this class we will:

Explain how the npm package manager works
Explain how the npm public repository works including policies by npm, Inc. that affect how public packages work in the npm ecosystem
Explore how to govern third-party open source dependencies in Angular and Node.js applications
Investigate tools for governing third-party open source npm dependencies

The class/session is oriented toward enterprise users of Angular and similar frameworks, and can include substantial discussion, especially for private engagements.

Governance

In addition to this open source / third party dependency governance topic, we also offer a class on application / project / program governance. Our governance offerings generally use Angular-related technologies for examples and specifics, but the material generally applies far beyond Angular.

Proven results

We've trained thousands of developers at companies like yours

Who Should Attend?

This class is designed for managers, project leaders, and software developers who need to evaluate and manage risk from third-party open source dependencies in enterprise-scale Angular applications.

Prerequisites and requirements

An understanding of the process of writing software that uses external, third-party code
Prior exposure to single-page applications
Experience writing code with Angular is not necessary, but knowledge about Angular in general will be beneficial

Topic outline

Introduction and background
- Oasis Digital and instructor introduction
- Student introductions
- Third-party dependencies
- Open source dependencies
  - How dependencies are used in open source software
  - Overview of the role of package managers
  - Introduction to the npm package manager
  - Introduction to the public npm repository
  - Comparison of npm with package managers used in other languages
- Governance and dependency management
  - How third-party dependencies differ from first-party dependencies
  - The cost of adopting a bad dependency
  - Potential legal and security risks of open source software
  - Why dependency governance is needed in Angular and Node.js projects
The npm package manager
- npm-compatible alternatives
  - Yarn
  - ied
  - pnpm
  - npm-install
  - npmd
The public npm package repository
- devDependencies are less critical than runtime dependencies
- Keep secure connections enabled even in restrictive networks
- Who runs npm and how did the public npm repository begin?
- Semantic versioning (SemVer)
  - Interpreting and using version numbers in npm
  - Meta tags or a major version number of zero can indicate higher risk
  - Why npm packages use semantic versioning
- Scope and naming of npm packages
- How npm became, and remains, the most popular open source JavaScript package repository
Hosting your own private npm repository
- Self hosting on-premises or in the cloud
  - Artifactory
  - Sinopia
  - Verdaccio
  - npm-register
  - Individual git repositories
- Private npm repository hosting services
  - npmjs.org
  - MyGet
  - Gemfury
  - JFrog
Licensing and trademark issues with third-party dependencies
- Trademarks and public npm package name conflicts
- Licenses used in public npm packages
  - Apache-2.0
  - MIT
  - ISC
  - BSD
  - Other open source licenses
Security issues with third-party dependencies
- "Power to the People" (left-pad)
- "Bitcoin bandits" (event-stream and flatmap-stream)
- No simple solution exists that will solve all security risks
  - Version number specificity
  - Rules for what kinds of third-party packages can be used
  - Blocking all third-party packages
  - Proxying public packages through Artifactory
- Security risks can be managed
Practices that minimize security and quality risks from third-party dependencies
- Inspect packages manually
- Factors to look for when checking individual packages
  - Existence and quality of the documentation
  - Quality of the API's design
  - Code quality
  - Existence and quality of tests
  - Current state and history of the issue tracker
  - Maintenance and commit history
  - Popularity
  - Security considerations
  - Licenses
  - Transitive dependencies
- Special practices for critical dependencies
  - Write targeted tests of key features
  - Abstract with a wrapper for easier replacement in the future
  - Consider isolating risky packages in a sandbox
  - Consider using only the parts of a dependency that you need
- Upgrade package versions often
  - The window of time for security-critical upgrades is short
  - Upgrades should not be completely automatic
  - How to upgrade package versions with the npm CLI
Tools for analyzing third-party dependencies in Angular and Node.js projects
- Security features built into the npm CLI
  - Node Security Platform is now integrated into the npm CLI
  - The "npm audit" command
- Third-party dependency analysis tools
  - Node Dependency Analysis Tool by Google
  - Nexus Auditor
  - Fossa
  - Snyk
  - Black Duck by Synopsys
  - CycloneDX
- Features typically found in dependency analysis tools
  - Check for security vulnerabilities
  - Block vulnerable libraries in CI/CD pipelines
  - Discover restrictive licenses in third-party dependencies
  - Analyze risk based on the age and popularity of packages
  - Manage rules for what kind of third-party packages can be used
  - Can often set the tools to run these checks on each commit
  - View dashboards and generate reports
  - Apply standard documents and policies to projects
  - Generate attributions, BOMs, reports, and audit results
  - Many different languages, platforms, and build systems are typically supported
Handling a security or licensing accident
- STAMP accident analysis
  - Base Constraints
  - Proximal Chain
  - Identifying which safeguards failed and why
  - Determining why inadequate safeguards were used

Meet your instructors

Your instructors will depend on your custom requests, availability, consulting needs, etc.

Private group classes

For corporate groups and other organizations, we offer live in-person or online events. Our instructors adapt the agenda to match your needs. We can include consulting assistance, or combine topics into a longer workshop week.

Calculate the cost

Training FAQs

Q: Is this taught in person?: A: We offer training both in-person and online via remote conferencing.
Q: How does the remote option work?: A: Much like an in-person class, it's conducted by our expert instructors in real time. The instructors answer questions, assist students, etc. We strive to offer as much of the in-person experience as possible, online.
Q: Can the content be customized?: A: For private team classes, we *always discuss your goals, the class contents, any specials areas for extra coverage, etc. in advance. We customize both the contents and length (number of days) to your needs.

Q: Can we schedule a private class any time?: A: Our classes are taught by developers who use the subject technologies in their daily work, so we carefully assign the right developer/trainer to your class, for a good experience and knowledge match. Please contact us to arrange a date.

Return to the class list