But several computer scientists affiliated with the IEEE say that npm packages aren't really as risky as has been suggested.
In a paper titled, "On the Threat of npm Vulnerable Dependencies in Node.js Applications," distributed through ArXiv, boffins Mahmoud Alfadel, Diego Elias Costa, Mouafak Mokhallalati, Emad Shihab, and Bram Adams argue that the dangers of integrating npm libraries into Node.js applications are overstated.
The npm Registry stores software libraries or packages that developers add to apps based on Node.js to implement specific functions. It exists so developers don't have to reinvent the wheel every time they want, for example, to add a routine for pulling URLs from blocks of text; they can just install the URL-grabbing code, via the npm command-line interface, that some other developer wrote and uploaded to the npm Registry.
The registry hosts around 1.4 million packages, and if the security risks of relying on unaudited third-party code aren't sufficient to set off alarm bells, consider that many of these packages depend on other npm packages. So a coding error or a malicious commit in one of these libraries has the potential to affect dependent libraries and all the apps that require a vulnerable package.
Examples of how things have gone wrong include the tampering with npm's
event-stream module in 2018 to make it steal cryptocurrency, a similar situation that arose with
electron-native-notify last year, and the
left-pad debacle in 2016.
The security challenges facing NPM, Inc, the company managing the npm ecosystem, were further complicated by financial resources that didn't keep pace with its popularity, at least until it was purchased by Microsoft's GitHub earlier this year.
Node.js's problems, security and otherwise, even prompted Ryan Dahl, creator of Node.js, to develop a successor runtime called Deno that attempts to provide a better security model, among other improvements.
Yet, the IEEE boffins, after analyzing 6,673 actively used Node.js apps, have found the security situation is not quite as bad as security vendors claim. There are a lot of vulnerabilities in npm packages but most are not that severe.
"Our findings show that although 67.93 per cent of the examined applications depend on at least one vulnerable package, 94.91 per cent of the vulnerable packages in those affected applications are classified as having low threat," they said in their paper.
What's more, among the few apps with high threat dependencies (3.03 per cent), the vast majority (90.8 per cent) had fixes available that had not been applied.
The boffins suggest that the fault here should be assigned to app developers, for not updating their app dependencies to the latest, safest versions, rather than the package maintainer.
"[A] major implication of our study is that application developers need to take updates pushed from their dependencies seriously, or at least actively track their dependencies, since those can lead to very serious effects," the paper concludes. ®