Security warning deluge from 'npm audit' is driving developers to distraction

Can we have less infosec theater, please?

Dan Abramov, a software engineer at Facebook, this week published a plea to silence a particularly vocal JavaScript security tool – and its creators more or less agreed there's room for improvement.

"As of today, npm audit is a stain on the entire npm ecosystem," Abramov declared in a blog post. "The best time to fix it was before rolling it out as a default. The next best time to fix it is now."

According to Abramov, 99 per cent of the vulnerabilities flagged by the command are false alarms in common usage scenarios. And this appears to be a fairly widespread sentiment among npm users.

More than a decade ago, Isaac Schlueter created the npm package manager and co-founded a company under the same name that would later be absorbed by Microsoft's GitHub.

In April 2018, npm version 6 was released, bringing with it the audit command, because security in the npm ecosystem had become something that could no longer be ignored. JavaScript developers using npm could thereafter type npm audit and they'd receive a security analysis of their projects' dependency tree – the various intertwined libraries imported into the project to avoid having to rewrite common functions from scratch.

The problem is npm audit overcorrected. Where a few years ago, JavaScript developers could look forward to being blindsided by security problems, npm runs its audit automatically after every npm install command and often produces a flood of vulnerability advisories that may not be easily fixable and may not really be applicable.

To some extent, the situation is unavoidable given the attack surface in the Node.js ecosystem, where the installation of an average npm package means trusting around 80 other packages due to transitive dependencies [PDF]. But for Abramov, npm audit produces security warnings in contexts where the risks are not a realistic concern and the alert overload doesn't help anyone involved.

"The root of the issue is that npm added a default behavior that, in many situations, leads to a 99+ per cent false positive rate, creates an incredibly confusing first programming experience, makes people fight with security departments, makes maintainers never want to deal with Node.js ecosystem ever again, and at some point will lead to actually bad vulnerabilities slipping in unnoticed," he wrote.

Original npm crew agree

Kat Marchán, who helped create npm audit fix and is now a senior software engineer at Microsoft, responded via Twitter, "This isn't wrong," while going on to explore some of the tradeoffs involved in security alerts and the decisions that led to the current state of affairs, some of which had to do with NPM's management and labor challenges in 2018 and 2019.

"The feature overall, for the company, was kind of a marketing (scare-ish) tactic to promote its private registry service," Marchán explained. "This isn't to say it was malicious: there was, and still is, a loud clamour for this kind of security visibility/improvement of the ecosystem."

Rebecca Turner, also involved in the creation of npm's auditing feature and now a principal engineer at Microsoft, also responded to Abramov's broadside, acknowledging that NPM's need for revenue shaped some design decisions.

"The start of the theatre was the report of the number of vulnerabilities found," Turner wrote in a Twitter thread. "It didn't report the number of vulnerable modules, but the number of things ever depending on the vulnerable module, producing numbers often larger than the number of modules in the tree."

Turner said she'd have pushed back on that at the time if she'd realized the consequences, but testing didn't show an excessive number of advisories.

"No further development of this feature happened in the main-line life of npm," Turned said. "Priorities and resources were shifted elsewhere in the push for profitability. Discussion around how to make results more manageable was starting to happen the next year…"

"... but between the business pushing to develop those as premium features and the firing of half the CLI team for union organizing (followed by the other half, myself included, resigning) they never went anywhere."

It's not quite so simple as union busting broke npm audit. Crafting security alerts that provide just the right amount of information at just the right time in the appropriate context is a challenge. As Marchan put it, "I personally spent a long time workshopping the CLI messages around audit to make them as unobtrusive as possible. But sometimes noise is noise, no matter how much you try to reduce it."

Further code adjustments being considered could improve the situation by providing a manual way to resolve audit warnings, as could Abramov's call for a way to exclude certain transitive dependencies from generating security warnings.

But calibrating the level of security concern to be appropriate for every individual and situation is a thankless task – dial back too much on the frantic hand waving and suppressed vulnerability mitigation advice might just lead to the next SolarWinds or Kaseya compromise. ®

Broader topics

Other stories you might like

  • Cheers ransomware hits VMware ESXi systems
    Now we can say extortionware has jumped the shark

    Another ransomware strain is targeting VMware ESXi servers, which have been the focus of extortionists and other miscreants in recent months.

    ESXi, a bare-metal hypervisor used by a broad range of organizations throughout the world, has become the target of such ransomware families as LockBit, Hive, and RansomEXX. The ubiquitous use of the technology, and the size of some companies that use it has made it an efficient way for crooks to infect large numbers of virtualized systems and connected devices and equipment, according to researchers with Trend Micro.

    "ESXi is widely used in enterprise settings for server virtualization," Trend Micro noted in a write-up this week. "It is therefore a popular target for ransomware attacks … Compromising ESXi servers has been a scheme used by some notorious cybercriminal groups because it is a means to swiftly spread the ransomware to many devices."

    Continue reading
  • Twitter founder Dorsey beats hasty retweet from the board
    As shareholders sue the social network amid Elon Musk's takeover scramble

    Twitter has officially entered the post-Dorsey age: its founder and two-time CEO's board term expired Wednesday, marking the first time the social media company hasn't had him around in some capacity.

    Jack Dorsey announced his resignation as Twitter chief exec in November 2021, and passed the baton to Parag Agrawal while remaining on the board. Now that board term has ended, and Dorsey has stepped down as expected. Agrawal has taken Dorsey's board seat; Salesforce co-CEO Bret Taylor has assumed the role of Twitter's board chair. 

    In his resignation announcement, Dorsey – who co-founded and is CEO of Block (formerly Square) – said having founders leading the companies they created can be severely limiting for an organization and can serve as a single point of failure. "I believe it's critical a company can stand on its own, free of its founder's influence or direction," Dorsey said. He didn't respond to a request for further comment today. 

    Continue reading
  • Snowflake stock drops as some top customers cut usage
    You might say its valuation is melting away

    IPO darling Snowflake's share price took a beating in an already bearish market for tech stocks after filing weaker than expected financial guidance amid a slowdown in orders from some of its largest customers.

    For its first quarter of fiscal 2023, ended April 30, Snowflake's revenue grew 85 percent year-on-year to $422.4 million. The company made an operating loss of $188.8 million, albeit down from $205.6 million a year ago.

    Although surpassing revenue expectations, the cloud-based data warehousing business saw its valuation tumble 16 percent in extended trading on Wednesday. Its stock price dived from $133 apiece to $117 in after-hours trading, and today is cruising back at $127. That stumble arrived amid a general tech stock sell-off some observers said was overdue.

    Continue reading
  • Amazon investors nuke proposed ethics overhaul and say yes to $212m CEO pay
    Workplace safety, labor organizing, sustainability and, um, wage 'fairness' all struck down in vote

    Amazon CEO Andy Jassy's first shareholder meeting was a rousing success for Amazon leadership and Jassy's bank account. But for activist investors intent on making Amazon more open and transparent, it was nothing short of a disaster.

    While actual voting results haven't been released yet, Amazon general counsel David Zapolsky told Reuters that stock owners voted down fifteen shareholder resolutions addressing topics including workplace safety, labor organizing, sustainability, and pay fairness. Amazon's board recommended voting no on all of the proposals.

    Jassy and the board scored additional victories in the form of shareholder approval for board appointments, executive compensation and a 20-for-1 stock split. Jassy's executive compensation package, which is tied to Amazon stock price and mostly delivered as stock awards over a multi-year period, was $212 million in 2021. 

    Continue reading
  • Confirmed: Broadcom, VMware agree to $61b merger
    Unless anyone out there can make a better offer. Oh, Elon?

    Broadcom has confirmed it intends to acquire VMware in a deal that looks set to be worth $61 billion, if it goes ahead: the agreement provides for a “go-shop” provision under which the virtualization giant may solicit alternative offers.

    Rumors of the proposed merger emerged earlier this week, amid much speculation, but neither of the companies was prepared to comment on the deal before today, when it was disclosed that the boards of directors of both organizations have unanimously approved the agreement.

    Michael Dell and Silver Lake investors, which own just over half of the outstanding shares in VMware between both, have apparently signed support agreements to vote in favor of the transaction, so long as the VMware board continues to recommend the proposed transaction with chip designer Broadcom.

    Continue reading

Biting the hand that feeds IT © 1998–2022