No vulnerable libraries

No vulnerable libraries (no-vulnerable-javascript-libraries)

This rules uses Snyk’s Vulnerability DB to identify if a website is running a vulnerable client-side JavaScript library or framework.

Why is this important?

Making sure your website dependencies are free of known vulnerabilities is important, as among other things, that could allow a malicious person to take advantage of one of them to create a Cross-site Scripting attack and steal private information.

What does the rule check?

This rules uses Snyk’s Vulnerability DB and js-library-detector to check if the website is running a vulnerable version of a client-side JavaScript library or framework.

The vulnerability database is updated automatically from Snyk if the cached content is older than 24h.

Can the rule be configured?

You can configure the minimum severity to report:

{
"no-vulnerable-libraries": ["error", {
"severity": "low|medium|high"
}]
}

The severity possible values are: low (default), medium, and high.

If you configure this rule to high, and sonar only finds low or medium vulnerabilities, no issues will be raised.

Further Reading