The NodeSource Blog

Announcing Improved Scoring in Certified Modules

We are excited to announce that NCM 1.1, the latest NCM release, is now available!

What’s New in NCM 1.1?

This release features critical enhancements to our Certification Scoring, improvements in package vulnerability scanning, and an improved whitelisting protocol that developers can wield with surgical precision.

Updated Certification Scoring

NCM still analyzes all of the same critical data to determine a Certification score -- packages are checked against a database of known vulnerabilities, and vulnerability type, license type, the package’s maintenance, support, and documentation quality are all factored in to provide the final score.

However, the algorithm that combines the above data into a meaningful score led to some unintended problems for NCM users in 1.0. Principally, if a nested dependency received a prohibitively low Certification Score, and was thus prevented from installing, the parent package would also be blocked automatically.

In NCM 1.1, the Certification process avoids some scoring information that was leading to these false positives. The final score now ignores vulnerability and licensing information of the package’s dependencies, but still warns your team of the potentially problematic nature of the dependencies. With low-scoring dependencies no longer having a negative impact on the score of a parent package, this update makes it clearer to developers which modules are safe vs not, and allows more granular control of whitelisting.

Real-time Vulnerability Scanning

The updates to NCM in 1.1 have standardized higher frequency scanning, with real-time vulnerability awareness worked directly into the flow of development.

Precise Whitelisting

The prohibitively low scores of dependencies with vulnerabilities or incorrect license types used to stop teams in their tracks. To circumvent this, a team’s admin could opt to whitelist a package (and all associated dependencies). The whitelisting protocol in 1.0 applied to the parent package, even if the vulnerability/license infraction existed in a nested dependency, meaning a lot of modules were indiscriminately whitelisted in the process.

As these suboptimal scores are no longer factored into the final Certification Score, the roadblock of questionable dependencies can now be more easily skirted. If a package does need to be whitelisted, NCM 1.1 now allows for far more precise whitelisting, targeting specific packages instead of major swaths of dependency trees.