Node.js-based projects, including projects using Angular (and most other web
frameworks) rely on an ecosystem of open-source packages via the npm package
manager's public repository. While that public repository contains an abundance
of useful, freely-available packages, its use in enterprise-scale applications
comes with potential security and licensing risks to understand and manage.
In this class we will:
Explain how the npm package manager works
Explain how the npm public repository works including policies by npm, Inc.
that affect how public packages work in the npm ecosystem
Explore how to govern third-party open source dependencies in Angular and
Investigate tools for governing third-party open source npm dependencies
The class/session is oriented toward enterprise users of Angular and similar
frameworks, and can include substantial discussion, especially for private
In addition to this open source / third party dependency governance topic, we
also offer a class on application / project / program governance. Our governance
offerings generally use Angular-related technologies for examples and specifics,
but the material generally applies far beyond Angular.
Who Should Attend?
This class is designed for managers, project leaders, and software developers
who need to evaluate and manage risk from third-party open source dependencies
in enterprise-scale Angular applications.
Prerequisites and requirements
An understanding of the process of writing software that uses external,
Prior exposure to single-page applications
Experience writing code with Angular is not necessary, but knowledge about
Angular in general will be beneficial
We have trained thousands of developers at hundreds of companies,
including numerous global leaders.
Introduction and background
Oasis Digital and instructor introduction
Open source dependencies
How dependencies are used in open source software
Overview of the role of package managers
Introduction to the npm package manager
Introduction to the public npm repository
Comparison of npm with package managers used in other languages
Governance and dependency management
How third-party dependencies differ from first-party dependencies
The cost of adopting a bad dependency
Potential legal and security risks of open source software
Why dependency governance is needed in Angular and Node.js projects
The npm package manager
The public npm package repository
devDependencies are less critical than runtime dependencies
Keep secure connections enabled even in restrictive networks
Who runs npm and how did the public npm repository begin?
Semantic versioning (SemVer)
Interpreting and using version numbers in npm
Meta tags or a major version number of zero can indicate higher risk
Why npm packages use semantic versioning
Scope and naming of npm packages
Hosting your own private npm repository
Self hosting on-premises or in the cloud
Individual git repositories
Private npm repository hosting services
Licensing and trademark issues with third-party dependencies
Trademarks and public npm package name conflicts
Licenses used in public npm packages
Other open source licenses
Security issues with third-party dependencies
"Power to the People" (left-pad)
"Bitcoin bandits" (event-stream and flatmap-stream)
No simple solution exists that will solve all security risks
Version number specificity
Rules for what kinds of third-party packages can be used
Blocking all third-party packages
Proxying public packages through Artifactory
Security risks can be managed
Practices that minimize security and quality risks from third-party dependencies
Inspect packages manually
Factors to look for when checking individual packages
Existence and quality of the documentation
Quality of the API's design
Existence and quality of tests
Current state and history of the issue tracker
Maintenance and commit history
Special practices for critical dependencies
Write targeted tests of key features
Abstract with a wrapper for easier replacement in the future
Consider isolating risky packages in a sandbox
Consider using only the parts of a dependency that you need
Upgrade package versions often
The window of time for security-critical upgrades is short
Upgrades should not be completely automatic
How to upgrade package versions with the npm CLI
Tools for analyzing third-party dependencies in Angular and Node.js projects
Security features built into the npm CLI
Node Security Platform is now integrated into the npm CLI
The "npm audit" command
Third-party dependency analysis tools
Node Dependency Analysis Tool by Google
Black Duck by Synopsys
Features typically found in dependency analysis tools
Check for security vulnerabilities
Block vulnerable libraries in CI/CD pipelines
Discover restrictive licenses in third-party dependencies
Analyze risk based on the age and popularity of packages
Manage rules for what kind of third-party packages can be used
Can often set the tools to run these checks on each commit
View dashboards and generate reports
Apply standard documents and policies to projects
Generate attributions, BOMs, reports, and audit results
Many different languages, platforms, and build systems are typically supported
Handling a security or licensing accident
STAMP accident analysis
Identifying which safeguards failed and why
Determining why inadequate safeguards were used
Oasis Digital instructors have extensive experience with both
Angular and numerous surrounding technologies; here are some
of them. The specific instructor(s) assigned to your class will
depend on which class or class topics (we customize!) are
put together, availability, additional consulting needs, etc.
Q: Is this taught "in person"?
A: We offer training both in-person and online via remote conferencing.
Q: How does the remote option work?
A: Much like an in-person class, it is conducted by our expert trainers, in real time.
The trainers can answer questions, assist with trouble students are having, etc.
We strive to offer as much of the in-person experience as possible, online.
Q: Are there open enrollment public classes?
A: We currently only offer an open-enrollment "public" class for our flagship
Angular Boot Camp.
Q: Can the content be customized?
A: For private team classes, we *always* discuss your goals, the class
contents, any specials areas for extra coverage, etc. in advance.
We customize both the contents and length (number of days) to your needs.
Q: Can we schedule a private class any time?
A: Our classes are taught by developers who use the subject technologies in their daily work,
so we don't assign "any" available developer/trainer to any particular class,
but only to classes with a strong experience and knowledge match.
Please contact us to arrange a date.
Two ways to learn
1) Training for your team, available now
For corporate groups and other organizations, we offer live in-person instruction.
These teams typically have advanced needs, so we provide customized, hands-on
Before each class, our instructors will listen to your needs in depth and add or
change the class agenda. We can also follow-up a class with consulting
assistance, or combine multiple classes into a longer workshop week.
Contact us about a private class
2) Live-instructor public classes, coming soon
Want to attend as an individual or small group? We are creating public,
open enrollment versions of many of our classes, including this one.
Unlike canned video training, live instructor online classes offer frequent
opportunities for detailed Q&A discussion.
This class isn't quite ready yet, but follow us on social media (bottom of
the page) or keep an eye on our website for announcements. We will show
the schedule of upcoming open enrollment class dates prominently.