HTTP dependency
Severity
High
Short Description
Contains a dependency which resolves to a remote HTTP URL which could be used to inject untrusted code and reduce overall package reliability.
Packages
View packages with this alert.Suggestion
Publish the HTTP URL dependency to npm or a private package repository and consume it from there.
Information
An HTTP Dependency Alert is generated when a package resolves dependencies over an HTTP connection instead of the more secure HTTPS. This is flagged as a high severity risk because HTTP connections are not encrypted, making them susceptible to man-in-the-middle (MITM) attacks.
HTTP dependencies pose significant security risks as they can be intercepted and altered by malicious actors during transmission. This can lead to various attacks, including injecting malicious code into your dependencies, which could compromise your entire application.
Why HTTP Dependencies are Risky
- Man-in-the-Middle (MITM) Attacks:
- HTTP connections can be intercepted by attackers, allowing them to inject malicious code or steal sensitive information.
- Data Integrity:
- Without encryption, there is no guarantee that the data received has not been tampered with.
- Compliance:
- Many industry standards and regulations require the use of secure connections for data transmission.
Recommended actions
Ensure that all dependencies in your project are fetched over secure HTTPS connections. Replace any HTTP URLs with HTTPS in your dependency configuration files.
Review and Update Dependencies:
- Manually check all dependency URLs in your configuration files.
- Replace any HTTP URLs with HTTPS.
Automate HTTPS Enforcement:
- Use tools or scripts to automatically enforce the use of HTTPS for all dependencies.
Regular Audits:
- Regularly audit your dependencies to ensure compliance with security best practices.
Examples
Package: 10up-toolkit
- Issue: This package includes dependencies that are resolved over HTTP, posing a security risk.
- Action: Replace HTTP URLs with HTTPS in the package configuration.
Package: algoliasearch.zendesk-hc
- Issue: This package includes dependencies that are resolved over HTTP, posing a security risk.
- Action: Replace HTTP URLs with HTTPS in the package configuration.
Detection Method
Socket's security system identifies dependencies resolved over HTTP by scanning the package's configuration files. It analyzes URLs used for dependency resolution and flags any that use the HTTP protocol.