Not Particularly Mortifying: IEEE eggheads probe npm registry, say JavaScript libs not as insecure as feared

Oh sure, there are plenty of flaws in those packages though not even one in ten are anything to worry about

For the past few years, the security of JavaScript software packages available through the Node Package Manager, or npm, has been the subject of skepticism as a result of blunders, brouhahas, and tepid countermeasures.

But several computer scientists affiliated with the IEEE say that npm packages aren't really as risky as has been suggested.

In a paper titled, "On the Threat of npm Vulnerable Dependencies in Node.js Applications," distributed through ArXiv, boffins Mahmoud Alfadel, Diego Elias Costa, Mouafak Mokhallalati, Emad Shihab, and Bram Adams argue that the dangers of integrating npm libraries into Node.js applications are overstated.

The npm Registry stores software libraries or packages that developers add to apps based on Node.js to implement specific functions. It exists so developers don't have to reinvent the wheel every time they want, for example, to add a routine for pulling URLs from blocks of text; they can just install the URL-grabbing code, via the npm command-line interface, that some other developer wrote and uploaded to the npm Registry.

The registry hosts around 1.4 million packages, and if the security risks of relying on unaudited third-party code aren't sufficient to set off alarm bells, consider that many of these packages depend on other npm packages. So a coding error or a malicious commit in one of these libraries has the potential to affect dependent libraries and all the apps that require a vulnerable package.

Examples of how things have gone wrong include the tampering with npm's event-stream module in 2018 to make it steal cryptocurrency, a similar situation that arose with electron-native-notify last year, and the left-pad debacle in 2016.

Image by Arak Rattanawijittakorn

If you want to hijack widely used JavaScript packages, try phishing for devs through these DMARC-shaped holes in key Node.js domains


The security challenges facing NPM, Inc, the company managing the npm ecosystem, were further complicated by financial resources that didn't keep pace with its popularity, at least until it was purchased by Microsoft's GitHub earlier this year.

Node.js's problems, security and otherwise, even prompted Ryan Dahl, creator of Node.js, to develop a successor runtime called Deno that attempts to provide a better security model, among other improvements.

Yet, the IEEE boffins, after analyzing 6,673 actively used Node.js apps, have found the security situation is not quite as bad as security vendors claim. There are a lot of vulnerabilities in npm packages but most are not that severe.

"Our findings show that although 67.93 per cent of the examined applications depend on at least one vulnerable package, 94.91 per cent of the vulnerable packages in those affected applications are classified as having low threat," they said in their paper.

What's more, among the few apps with high threat dependencies (3.03 per cent), the vast majority (90.8 per cent) had fixes available that had not been applied.

The boffins suggest that the fault here should be assigned to app developers, for not updating their app dependencies to the latest, safest versions, rather than the package maintainer.

"[A] major implication of our study is that application developers need to take updates pushed from their dependencies seriously, or at least actively track their dependencies, since those can lead to very serious effects," the paper concludes. ®

Broader topics

Other stories you might like

  • Running Windows 10? Microsoft is preparing to fire up the update engines

    Winter Windows Is Coming

    It's coming. Microsoft is preparing to start shoveling the latest version of Windows 10 down the throats of refuseniks still clinging to older incarnations.

    The Windows Update team gave the heads-up through its Twitter orifice last week. Windows 10 2004 was already on its last gasp, have had support terminated in December. 20H2, on the other hand, should be good to go until May this year.

    Continue reading
  • Throw away your Ethernet cables* because MediaTek says Wi-Fi 7 will replace them

    *Don't do this

    MediaTek claims to have given the world's first live demo of Wi-Fi 7, and said that the upcoming wireless technology will be able to challenge wired Ethernet for high-bandwidth applications, once available.

    The fabless Taiwanese chip firm said it is currently showcasing two Wi-Fi 7 demos to key customers and industry collaborators, in order to demonstrate the technology's super-fast speeds and low latency transmission.

    Based on the IEEE 802.11be standard, the draft version of which was published last year, Wi-Fi 7 is expected to provide speeds several times faster than Wi-Fi 6 kit, offering connections of at least 30Gbps and possibly up to 40Gbps.

    Continue reading
  • Windows box won't boot? SystemRescue 9 may help

    An ISO image you can burn or drop onto a USB key

    The latest version of an old friend of the jobbing support bod has delivered a new kernel to help with fixing Microsoft's finest.

    It used to be called the System Rescue CD, but who uses CDs any more? Enter SystemRescue, an ISO image that you can burn, or just drop onto your Ventoy USB key, and which may help you to fix a borked Windows box. Or a borked Linux box, come to that.

    SystemRescue 9 includes Linux kernel 5.15 and a minimal Xfce 4.16 desktop (which isn't loaded by default). There is a modest selection of GUI tools: Firefox, VNC and RDP clients and servers, and various connectivity tools – SSH, FTP, IRC. There's also some security-related stuff such as Yubikey setup, KeePass, token management, and so on. The main course is a bunch of the usual Linux tools for partitioning, formatting, copying, and imaging disks. You can check SMART status, mount LVM volumes, rsync files, and other handy stuff.

    Continue reading

Biting the hand that feeds IT © 1998–2022