Learn English vocabulary for package security: npm audit, CVEs, transitive dependency risk, SBOM, supply chain attacks, and typosquatting.
0 / 5 completed
1 / 5
Running 'npm audit' in a project does which of the following?
npm audit queries the npm security advisory database. It reports vulnerabilities in your dependency tree with severity ratings (low/moderate/high/critical) and often suggests version upgrades or patches to resolve them.
2 / 5
A 'transitive dependency' security risk means:
If your app uses framework X, which uses parser Y, which has a critical vulnerability — that is a transitive dependency risk. You never directly chose parser Y, but it is in your dependency tree. This is why audit tools scan the full tree, not just direct deps.
3 / 5
'Typosquatting' as a package supply chain attack refers to:
Developers mistype package names and accidentally install attacker-controlled packages. The malicious package (e.g., 'cross-env2' vs 'cross-env') may steal environment variables or execute arbitrary code during install via postinstall scripts.
4 / 5
An SBOM (Software Bill of Materials) for a software project is:
An SBOM is like an ingredient list for software. Formats like SPDX and CycloneDX document every library and its version. SBOMs are increasingly required by governments and enterprises to assess exposure when a new vulnerability (like Log4Shell) is disclosed.
5 / 5
A 'dependency confusion' supply chain attack (as demonstrated by Alex Birsan in 2021) exploits the fact that:
Many package managers check public registries first. If a company uses an internal package named 'company-utils', an attacker publishes 'company-utils' on npm with a higher version — the package manager installs the public attacker package instead of the private legitimate one.