Vulnerability Detection for Node.js Apps Using Retire

Eliminating from your application all code–include node modules–with known vulnerabilities is an essential part of secure coding. Retire is a node.js package that looks for reported vulnerabilities in your node modules and/or javascript code. It’s dirt simple to use–so there’s no excuse for not using it.

Just install retire using NPM. If you use grunt, install grunt-retire as well.

The gruntfile config entry looks like this

retire: {
js: ['app/**/*.js'], /** Which js-files to scan. **/
node: ['node_modules'], /** Which node directories to scan (containing package.json). **/
options: {
verbose: true,
packageOnly: false,
jsRepository: '',
nodeRepository: '',

You may have to change the js and node directories.

To enable the task, add this in grunt:

grunt.registerTask('retireCheck', ['retire']);

Note that grunt.registerTask(‘retire’, [‘retire’]); will NOT work!

Now run grunt retireCheck. Make this part of your build process to reduce the potential for vulnerable code to ruin your day!


About jeffmershon

Director of Program Management at SiriusXM.
This entry was posted in Software and tagged , . Bookmark the permalink.

One Response to Vulnerability Detection for Node.js Apps Using Retire

  1. Serjey says:

    Does not work here. When I use the Chrome extension or comandline tool it finds vulnerabilities (older version of jQuery and momentJS) but when I use the grunt tool it finds nothing, says all is OK, but that’s wrong. I’m using a similar config as you above, I even copied it now. My result:

    Running “retire:js” (retire) task
    Ignoring {“paths”:[],”descriptors”:[]}
    Loading from cache:
    Reading C:\Users\…\AppData\Local\Temp\.retire-cache\1505221590571.json …
    Checking: bower.json
    Checking: Gruntfile.js
    Checking: package.json
    Checking: retire-output.json
    No vulnerabilities found.

    Running “retire:node” (retire) task
    Ignoring {“paths”:[],”descriptors”:[]}
    Loading from cache:
    Reading C:\Users\…\AppData\Local\Temp\.retire-cache\1505221591072.json …
    No vulnerabilities found.


    Well, sounds good except that is SHOULD FIND something. I use grunt 1.x and grunt-retire 1.0.7

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s