Menu
I'm using many Node.js modules through npm package manager. Since these modules are not developed by trusted organisations, are they trustworthy?
I don't know whether the npm team is doing any security checks for each module submitted by developers.
804
The company claims it found more than 1,300 malicious npm packages in 2021 in npm. That's bad, but 1,300 out of 1.8-million is only 0.007222%. If you were to just randomly grab JavaScript packages for your program, odds are you'll be safe.
NPM is not doing any checks whatsoever. They are just a registry. The whole thing is built on the trust in the dev community and sharing.
Most node modules are open source and you can review their code in their repository (usually Github). So that's the best way to 'trust' them. Some node modules give you prebuilt native binaries, so that might be riskier in a way, but if it is popular (like ws for example) then I see no issue. You can also check the NPM publisher user, which sometimes is a known company like Oracle.
66
The idea is to find the most popular npm modules. You can do this by checking the stars on each project.
Some tips:
Use npm to manage dependencies in your dev environment, but not in your deployment scripts.
Tools like npm are development tools. They’re a convenient way to download and update modules. They’re not deployment tools, have never been deployment tools, and should not be used for deployment!
Use
npm shrinkwrapin the development repository and check in the result. This will lock your module versions in place, including sub-dependencies
More details here
42
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
