Geek Answers Handbook

How can we trust npm modules?

I use many Node.js modules through the npm package manager. Since these modules are not designed by trusted organizations, are they trustworthy?

I do not know if the npm team performs any security checks for each module submitted by the developers.

+10
source share
8 answers

NPM does not do any checks at all. They are just a registry. All of this is based on trust in the developer community and sharing.

Most host modules are open source, and you can view their code in their repository (usually Github). So the best way to β€œtrust” them. Some node modules give you prebuilt native binaries, so this may be more risky, but if it is popular (like ws) then I don't see a problem. You can also check out an NPM publisher user who is sometimes a well-known company such as Oracle.

+9
source

The idea is to find the most popular npm modules. You can do this by checking the stars in each project.

Some tips:

Use npm to manage dependencies in your dev environment, but not in deployment scripts.

Tools like npm are development tools. Theyre a convenient way to download and update modules. Theyre not deployment tools, they were never deployment tools and should not be used for deployment!

Use npm shrinkwrap in the development repository and check the result. This will block your versions of modules in place, including subdependencies.

More here

+1
source

There are several programs available from npm that may work against your package. json and check for known vulnerabilities. Not perfect, but a great start. The one I used is called nsp , but there are others.

+1
source

Update - June 2019

Npm @ 6 includes security checks. You can run npm audit to recursively analyze your dependency trees to determine exactly what is unsafe

Version 2016

You can use the nsp tool provided by Node Security Platform , which helps to check all the modules from your package.json

 npm install nsp --global nsp check

More information here: https://nodesecurity.io/opensource

+1
source

Yes! Almost all node modules are open source, so you can really see the snippets of code executed by the module. this can help you build trust in the package that you are ready to use in your application.

0
source

It is not very safe because these modules are not developed by any organization like php / apache, but it is a good technology, and you can also use nsp modules to check for security problems in node models.

Additional Information

0
source

In fact, I do not use many packages:

1) express
2) body and cookie-parser (sometimes I'm lazy to write middleware),
3) mongoose
4) pug
5) request
6) asynchronous
7) lodash,
8) string

everything else that I write myself and put in the "components" folder.

let most people be so lazy that they do:

  const md5 = require('md5'); let data = 'something'; data = md5(data);

but I do it with crypto (it is included by default in all versions of nodejs):

  const crypto = require('crypto'); let data = 'something'; data = crypto .createHash('md5') .update(data.toString()) .digest('hex');

I keep the logic not to use the package:

1) if the package is small (I always read the package files if it is unknown to me)
2) version no higher than 1.0.0 (no guarantees that will go further)
3) no recent iterations (commits) in the repository

btw nsp check my application says: (+) No known vulnerabilities found (:

0
source

If you install a package that you do not trust, you can avoid this vulnerability by running

npm install --ignore-scripts

Read more ... here

Here is a terrific blog that can give you a clear image of a blog

-1
source

More articles:


All Articles