Do npm vulnerabilities matter for front ends?

Question

When running the command 'npm install' or 'npm audit', I usually receive notices of package vulnerabilities. In my case, I'm only using npm packages for a Javascript client that I send to my users as an SPA (single page application).

Are there ever security vulnerabilities I should be aware of that affect UI/UX implementations of npm, or are these messages exclusively for when npm packages are used on node servers?

Here is an example of when I run 'npm audit':

Answer 1

Yes it can matter.

People have attempted to sneak malware via front-end code before. So far it has been through infecting ad servers or something similar like an API that uses JSONP. But it could be done via infecting modules on npm.

There is a fairly famous case of someone inserting code to steal Bitcoin private keys (allowing them to spend other people's Bitcoins) by modifying the code for the EventStream module. It was a fairly subtle and long operation involving the hacker first volunteering bug fixes then helping out maintaining the library then finally requesting to become the lead maintainer.

EventStream is a node.js only module so it isn't a front-end thing. But the possibility exists for someone to silently add code to modify things like Math.random or window.fetch to secretly alter your logic or snoop on your communications.

If the vulnerability gets shipped to browser code you should investigate what it is and if it matters to your application.

If the vulnerability only affect developer tooling (for example a css pre-processor or a build system like gulp ) then it doesn't matter because it only gets executed when you build or debug your project.