{"success":true,"course":{"concept_key":"CONCEPT#6f7cf76dc064d5f17dc815693cea4e65","final_learning_outcomes":["Identify and explain how deep dependencies introduce security risk.","Assess vulnerability severity using industry standards.","Execute safe, non-breaking package updates.","Implement lockfiles and npm ci for reproducible secure builds.","Configure CI trusted publishing to defend against supply-chain attacks."],"description":"Learn to recognise dependency risks, assess vulnerability severity, update safely, and implement modern supply-chain defences. By the end, you’ll confidently secure any npm-based project.","created_at":"2025-12-17T15:33:12.632743+00:00","average_segment_quality":7.750000000000001,"pedagogical_soundness_score":8.7,"title":"Hardening Your npm Projects Against Threats","generation_time_seconds":113.20981192588806,"segments":[{"duration_seconds":266.479,"concepts_taught":["Primary vs. secondary dependencies","Graph view of dependency trees","Definition of dependency hell","Flat node_modules structure (npm v3+)","Version-conflict scenario"],"quality_score":7.700000000000001,"before_you_start":"You already know npm manages the libraries your project relies on. Now, let’s look at how those very conveniences can turn into headaches—and security nightmares—when dependencies start pulling in even more code. In this first module you’ll discover what ‘dependency hell’ really means and why it matters for security.","title":"Why Dependency Hell Endangers Security","url":"https://www.youtube.com/watch?v=9AyfXGHu56Y&t=0s","sequence_number":1.0,"prerequisites":["Basic command-line usage","General idea of software packages"],"learning_outcomes":["Explain the terms primary and secondary dependency","Describe what causes dependency hell in npm projects","Illustrate npm’s flat installation layout and why it matters"],"video_duration_seconds":596.0,"transition_from_previous":{"suggested_bridging_content":"","from_segment_id":"","overall_transition_score":0.0,"to_segment_id":"9AyfXGHu56Y_0_266","pedagogical_progression_score":0.0,"vocabulary_consistency_score":0.0,"knowledge_building_score":0.0,"transition_explanation":"N/A for first"},"segment_id":"9AyfXGHu56Y_0_266","micro_concept_id":"npm_security_overview"},{"duration_seconds":560.3,"concepts_taught":["Purpose of package.json","node_modules and dependency trees","Semantic versioning (major, minor, patch)","Safe package updating with ^ and ~","Role of package-lock.json"],"quality_score":7.675000000000001,"before_you_start":"Now that you’ve seen why runaway dependencies pose a threat, it’s time to zoom out and map the entire tree—direct and transitive. This segment walks you through package.json and semantic versioning so you can pinpoint where risk hides deeper in the hierarchy.","title":"Mapping Your Full Dependency Tree","url":"https://www.youtube.com/watch?v=P3aKRdUyr0s&t=284s","sequence_number":2.0,"prerequisites":["Basic idea of npm and package installation","Comfort with reading JSON-style files"],"learning_outcomes":["Create and interpret package.json files","Trace dependency relationships in node_modules","Apply semantic versioning concepts","Update packages safely using version constraints","Explain why package-lock.json prevents version conflicts"],"video_duration_seconds":866.0,"transition_from_previous":{"suggested_bridging_content":"","from_segment_id":"9AyfXGHu56Y_0_266","overall_transition_score":8.45,"to_segment_id":"P3aKRdUyr0s_284_845","pedagogical_progression_score":8.0,"vocabulary_consistency_score":9.0,"knowledge_building_score":9.0,"transition_explanation":"Builds directly on the ‘hell’ concept by showing the actual structure and files involved."},"segment_id":"P3aKRdUyr0s_284_845","micro_concept_id":"dependency_tree_risks"},{"duration_seconds":365.95,"concepts_taught":["CVE identifiers","CVSS risk scoring","CWE software weaknesses","CPE product naming","CAPEC attack patterns","Relationship between the five systems"],"quality_score":7.875000000000001,"before_you_start":"With your dependency tree in hand, the next challenge is deciding which issues deserve immediate attention. Here you’ll learn how CVE identifiers and CVSS scores quantify risk, giving you an objective lens to triage vulnerabilities.","title":"Evaluating CVE and CVSS Severity","url":"https://www.youtube.com/watch?v=A4fryoYxWko&t=0s","sequence_number":3.0,"prerequisites":["Basic idea of software vulnerabilities","General IT product awareness (software vs hardware)"],"learning_outcomes":["Define CVE, CVSS, CWE, CPE and CAPEC","Interpret a CVE ID’s two-part structure","Infer severity from a CVSS score range","Differentiate between a vulnerability and an underlying weakness","Identify the framework that names affected products","Explain why attack pattern catalogues such as CAPEC are useful"],"video_duration_seconds":366.0,"transition_from_previous":{"suggested_bridging_content":"","from_segment_id":"P3aKRdUyr0s_284_845","overall_transition_score":8.15,"to_segment_id":"A4fryoYxWko_0_366","pedagogical_progression_score":8.0,"vocabulary_consistency_score":9.0,"knowledge_building_score":8.0,"transition_explanation":"Moves from structural understanding to risk quantification, a logical next step."},"segment_id":"A4fryoYxWko_0_366","micro_concept_id":"vulnerability_severity"},{"duration_seconds":388.881,"concepts_taught":["Flat vs. nested installation review","Installing conflicting lodash versions","Semantic versioning numbers","npm nesting secondary node_modules on conflict","Visualising dependency trees","Strategies to avoid redundant installs"],"quality_score":7.825000000000001,"before_you_start":"Knowing a vulnerability’s severity is only half the battle—you still need to fix it without breaking everything. This lesson demonstrates how to navigate version conflicts and perform targeted, safe updates using semantic versioning best practices.","title":"Strategy for Safe Package Updates","url":"https://www.youtube.com/watch?v=9AyfXGHu56Y&t=190s","sequence_number":4.0,"prerequisites":["Familiarity with node_modules layout","Basic CLI usage"],"learning_outcomes":["Describe npm’s behaviour when major versions conflict","Interpret semantic version numbers","Use npm ls to inspect dependency trees","Explain why redundant installs happen and how to mitigate them"],"video_duration_seconds":596.0,"transition_from_previous":{"suggested_bridging_content":"","from_segment_id":"A4fryoYxWko_0_366","overall_transition_score":8.7,"to_segment_id":"9AyfXGHu56Y_190_579","pedagogical_progression_score":8.0,"vocabulary_consistency_score":9.0,"knowledge_building_score":9.0,"transition_explanation":"Applies the severity knowledge to concrete update actions."},"segment_id":"9AyfXGHu56Y_190_579","micro_concept_id":"mitigation_update"},{"duration_seconds":379.05,"concepts_taught":["Role of package.json","Purpose of package-lock.json","Problems caused by npm install after cloning","Benefits of npm ci","Using git to revert lock-file mistakes","Best practices for CI pipelines"],"quality_score":7.700000000000001,"before_you_start":"After mastering update strategies, it’s crucial to keep those vetted versions consistent across every environment. Here you’ll discover how package-lock.json and npm ci work together to lock down your supply chain and avoid unexpected, risky changes.","title":"Lockfiles and npm ci for Defense","url":"https://www.youtube.com/watch?v=jHkIXYVpMTo&t=0s","sequence_number":5.0,"prerequisites":["Basic Git commands (clone, status, commit)","Familiarity with npm and Node.js projects"],"learning_outcomes":["Explain why npm ci is preferred over npm install after cloning","Identify the purpose of package-lock.json","Install dependencies with exact, tested versions using npm ci","Revert unintended lock-file changes with git checkout","Apply best practices in CI pipelines for consistent dependency versions"],"video_duration_seconds":385.0,"transition_from_previous":{"suggested_bridging_content":"","from_segment_id":"9AyfXGHu56Y_190_579","overall_transition_score":8.05,"to_segment_id":"jHkIXYVpMTo_0_379","pedagogical_progression_score":8.0,"vocabulary_consistency_score":9.0,"knowledge_building_score":8.0,"transition_explanation":"From updating packages to ensuring updates stay consistent across installs."},"segment_id":"jHkIXYVpMTo_0_379","micro_concept_id":"supply_chain_defense"},{"duration_seconds":600.441,"concepts_taught":["Trusted publishing for npm","Provenance verification","CI enforcement GitHub action","PNPM security defaults","Minimum release-age setting"],"quality_score":7.7250000000000005,"before_you_start":"You’ve locked down dependencies locally; now it’s time to harden the publishing pipeline itself. In this final module, you’ll learn how CI-based trusted publishing and alternative managers like PNPM further protect against token leaks and malicious package uploads.","title":"Trusted Publishing & Advanced Defences","url":"https://www.youtube.com/watch?v=o6pg0VeqGyA&t=224s","sequence_number":6.0,"prerequisites":["Basic CI/CD knowledge","Familiarity with npm workflows"],"learning_outcomes":["Configure Trusted Publishing in CI","Use CI checks to enforce provenance","Leverage PNPM security features including minimum-release-age"],"video_duration_seconds":842.0,"transition_from_previous":{"suggested_bridging_content":"","from_segment_id":"jHkIXYVpMTo_0_379","overall_transition_score":9.0,"to_segment_id":"o6pg0VeqGyA_224_824","pedagogical_progression_score":9.0,"vocabulary_consistency_score":9.0,"knowledge_building_score":9.0,"transition_explanation":"Extends lockfile principles to the broader release workflow."},"segment_id":"o6pg0VeqGyA_224_824","micro_concept_id":"supply_chain_defense"}],"prerequisites":["Basic command-line skills","Fundamental understanding of Node.js and npm","General web-development workflow familiarity"],"micro_concepts":[{"prerequisites":[],"learning_outcomes":["Recognize main security risks within npm ecosystem","Explain how third-party packages can introduce vulnerabilities"],"difficulty_level":"beginner","concept_id":"npm_security_overview","name":"NPM Security Overview","description":"Introduce why npm security matters, common threat types, and how vulnerabilities enter projects through dependencies.","sequence_order":0.0},{"prerequisites":["npm_security_overview"],"learning_outcomes":["Visualize full dependency tree with direct and transitive packages","Identify high-risk deep dependencies"],"difficulty_level":"beginner","concept_id":"dependency_tree_risks","name":"Understanding Dependency Tree","description":"Explore how direct and transitive dependencies form a tree, increasing attack surface and complicating updates.","sequence_order":1.0},{"prerequisites":["dependency_tree_risks"],"learning_outcomes":["Run npm audit and interpret severity levels","Apply npm audit fix while noting potential breaking changes"],"difficulty_level":"intermediate","concept_id":"npm_audit_tool","name":"Using npm audit","description":"Demonstrate npm audit, interpreting its JSON output, and applying npm audit fix responsibly.","sequence_order":2.0},{"prerequisites":["npm_audit_tool"],"learning_outcomes":["Explain CVSS and npm severity labels","Prioritize vulnerabilities based on project impact"],"difficulty_level":"intermediate","concept_id":"vulnerability_severity","name":"Assessing Vulnerability Severity","description":"Teach CVSS scores, critical/high/medium/low labels, and factors like exploitability and package usage context.","sequence_order":3.0},{"prerequisites":["vulnerability_severity"],"learning_outcomes":["Choose correct mitigation strategy for a given vulnerability","Execute safe updates using semantic version modifiers"],"difficulty_level":"intermediate","concept_id":"mitigation_update","name":"Mitigation Update Strategies","description":"Compare updating, patching, replacing, or temporarily removing packages; cover semantic versioning and changelog checks.","sequence_order":4.0},{"prerequisites":["mitigation_update"],"learning_outcomes":["Implement preventative measures against malicious packages","Use lockfiles to ensure reproducible, verified installs"],"difficulty_level":"advanced","concept_id":"supply_chain_defense","name":"Preventing Supply Chain Attacks","description":"Cover techniques like vetting maintainers, checking package popularity, using lockfiles, and disabling install scripts.","sequence_order":5.0}],"selection_strategy":"Start precisely at the learner’s ZPD boundary (they already grasp npm basics but missed mitigation). Chose the highest-quality self-contained segments that collectively cover the micro-concept chain while progressively increasing complexity and directly targeting the misconception about updating vulnerable packages.","updated_at":"2026-03-05T08:38:51.863818+00:00","generated_at":"2025-12-17T15:32:44Z","overall_coherence_score":8.46,"interleaved_practice":[{"difficulty":"mastery","correct_option_index":2.0,"question":"Your team discovers a medium-severity CVE in a deep transitive dependency. Which FIRST action best balances risk and project stability?","option_explanations":["Incorrect—premature removal may break builds.","Incorrect—locks current vulnerable state, no fix.","Correct—targets the vulnerability with minimal disruption.","Incorrect—manager change doesn’t fix the vulnerable code."],"options":["Remove the entire top-level package immediately","Run npm ci to ensure everyone reproduces the bug","Search for a patched version or drop-in alternative","Switch the project to PNPM to avoid flat installs"],"question_id":"qp1","related_micro_concepts":["vulnerability_severity","mitigation_update"],"discrimination_explanation":"A patched update or compatible alternative removes the vulnerability while preserving functionality. Simply reproducing the bug (npm ci) or changing the package manager doesn’t mitigate the flaw, and wholesale removal is disruptive without evaluating options."},{"difficulty":"mastery","correct_option_index":2.0,"question":"During CI, a contributor’s pull request unexpectedly changes package-lock.json. What risk does this introduce if merged unchecked?","option_explanations":["Partially true but focuses on build errors, not security.","A conflict may occur, but dual installs aren’t guaranteed.","Correct—silent upgrades may smuggle new vulnerabilities.","npm ci still works; it just installs whatever the new lockfile states."],"options":["Breaks semantic versioning rules causing build failure","Allows unresolved version conflicts to force dual installs","Potentially pulls unreviewed newer dependencies with vulnerabilities","Disables npm ci from reproducing builds on other machines"],"question_id":"qp2","related_micro_concepts":["dependency_tree_risks","supply_chain_defense"],"discrimination_explanation":"Modifying the lockfile can advance sub-dependencies silently, introducing code that auditors haven’t vetted, including vulnerable versions. The other options are side-effects but not the core security risk."},{"difficulty":"mastery","correct_option_index":1.0,"question":"Which feature of Trusted Publishing MOST reduces the threat of stolen npm auth tokens?","option_explanations":["Incorrect—hashing ensures consistency, not token safety.","Correct—CI signs releases without local secrets.","Incorrect—structure impacts deduplication, not auth.","Incorrect—pinning controls versions, not credentials."],"options":["Lockfile hashing","CI-based provenance signatures","Flat node_modules structure","Semantic version range pinning"],"question_id":"qp3","related_micro_concepts":["supply_chain_defense"],"discrimination_explanation":"Trusted Publishing generates provenance signatures within CI, eliminating the need for long-lived local tokens that can be stolen. The other options help consistency but don’t directly remove token exposure."},{"difficulty":"mastery","correct_option_index":2.0,"question":"You run npm audit and see two HIGH and five LOW issues. Based on CVSS principles, which factor might elevate a LOW issue to high-priority in your project?","option_explanations":["Incorrect—physical access lowers urgency.","Incorrect—dev-only limits production exposure.","Correct—public exploit + prod path magnifies risk.","Incorrect—absence of fix affects mitigation options, not severity."],"options":["Exploit requires physical access","Package used only in dev scripts","Exploit code is publicly available and the vulnerable path is production-critical","The CVE has no published fix yet"],"question_id":"qp4","related_micro_concepts":["vulnerability_severity"],"discrimination_explanation":"Public exploit code plus critical runtime usage increases real-world risk, justifying urgent action despite a LOW label. Physical-access requirements, dev-only usage, or lack of fix don’t inherently raise priority."},{"difficulty":"mastery","correct_option_index":2.0,"question":"After updating lodash to resolve a vulnerability, tests fail due to breaking API changes. What semantic-versioning rule likely explains this?","option_explanations":["Incorrect—patches fix bugs, no breaking APIs.","Incorrect—minor adds features without breaking.","Correct—major signals breaking changes.","Incorrect—pre-release tags are opt-in, not automatic."],"options":["Patch bump introduced experimental flags","Minor version added new endpoints","Major version increment contained backward-incompatible changes","Pre-release tag overwrote stable version"],"question_id":"qp5","related_micro_concepts":["mitigation_update"],"discrimination_explanation":"Only a major version bump signals breaking API changes under semver, explaining why the update broke tests. Patch and minor bumps are backwards-compatible; pre-release tags never overwrite stables by default."}],"target_difficulty":"intermediate","course_id":"course_1765984843","image_description":"Sophisticated, realistic graphic aimed at high-school to adult learners. Foreground: a developer’s desk with an open laptop displaying a colourful dependency tree diagram; several nodes glow red to indicate vulnerabilities. Middle ground: a translucent shield icon overlays the screen, symbolising protection. Background: subtle silhouettes of cloud CI pipelines and padlocks, hinting at supply-chain defence. Palette uses cool tech blues and vibrant safety greens with a touch of alert red on vulnerable nodes. Composition reserves the top third as clear space for course title placement. The focal point is the glowing shield centred over the dependency graph, drawing the viewer’s eye toward security. The mood is proactive and empowering, signalling that learners will gain control over npm risks.","tradeoffs":[],"image_url":"https://course-builder-course-thumbnails.s3.us-east-1.amazonaws.com/courses/course_1765984843/thumbnail.png","generation_progress":100.0,"all_concepts_covered":["Dependency Hell and Security Risk","Visualising Dependency Trees","CVE Identifiers and CVSS Scoring","Semantic Versioning Update Strategies","Lockfile-Based Supply-Chain Defence","CI-Driven Trusted Publishing"],"created_by":"Rahul Subramaniam","generation_error":null,"rejected_segments_rationale":"XSS, SSRF, code-injection, worm-specific segments were skipped as they don’t advance the chosen micro-concept chain or would overshoot the 60-minute limit.","considerations":["No dedicated npm audit demo segment—supplemental reading may be suggested.","Two segments share the same micro-concept (supply_chain_defense); ensure redundancy adds value."],"assembly_rationale":"Selected six high-quality, self-contained segments that map cleanly onto the most relevant micro-concepts for npm security, respecting time limits and increasing complexity. The course begins with conceptual risk, moves through assessment and mitigation, and ends with organisational defences, directly addressing the learner’s demonstrated misconception.","user_id":"google_102157240803562925683","strengths":["Progressive complexity maintains cognitive load balance.","Directly remedies pre-test misconception about mitigation.","Diverse media keeps engagement within 60-minute budget."],"key_decisions":["9AyfXGHu56Y_0_266: Opens with dependency hell—perfect simple security overview.","P3aKRdUyr0s_284_845: Builds on overview with deeper tree/semver—moderate.","A4fryoYxWko_0_366: Introduces CVE & CVSS, needed for assessing severity—complexity uptick.","9AyfXGHu56Y_190_579: Shows practical update strategy, addresses learner’s wrong answer—moderate-complex.","jHkIXYVpMTo_0_379: Adds lockfile defence technique—complex supply-chain prevention.","o6pg0VeqGyA_224_824: Culminates with CI-based trusted publishing—highest complexity."],"estimated_total_duration_minutes":42.0,"is_public":true,"generation_status":"completed","generation_step":"completed"}}