Updating packages
A very common source of vulnerabilities in web applications is vulnerable dependent packages. This is especially true if the application is using an older version of a package when a new, more secure version is available. To mitigate against this, we can periodically check for known vulnerabilities and, crucially, update the packages as often as possible.
Importance of lockfiles
By using npm and PDM, we are using lockfiles; this means that we’ll always install the same package version on any system until we change the lockfile. Without a lockfile, we would quickly be in a position where different systems run with different package versions and potentially different packages. This would make it hard to diagnose bugs, as it may depend on a version we aren’t testing. Crucially though, it would make our app less secure as we would have no control over what was installed.
Periodically checking for vulnerabilities
In our app, we are using many...