The NodeSource Blog

How to Reduce Risk and Improve Security Around npm

This week there was a security scare with npm and several modules that were typosquatting and getting a decent number of downloads. The module that kicked off the discussion was a module that was a slight misspelling of Kent Dodd’s cross-env - a module with approximately 1.4 million downloads in the last month.

The module that was typosquatting simply dropped the - from the name. The intent was to capture installs when a user installed crossenv, missing the - in the actual module’s name.

We’ve seen a few security explosions from the community around npm in recent history. Left-pad, npm-cdn, and issues around weak npm credentials - even as the issue with typosquatting was developing, another issue around hijacked browser extensions using npm modules via unpkg.com.

Security is an issue that’s inherent with pulling in third-party, community maintained, open-source code without checks and balances. There is nothing inherently wrong with the way npm is set up or has approached modules and security - quite the opposite.

The approach that both npm and Node.js have taken has opened up a space for experts, community, and individuals to contribute and grow the security story around the npm ecosystem in an impactful and sustainable way. One of my personal biggest pet peeves is looking at the state of things now and thinking we’re at the peak of security, technology, and code - in reality, the stories around multiple aspects of npm and Node.js are still being teased out, and we’re just at the beginning.

Today I’ve collected a suite of projects that are focused on building out and improving the security story around the npm ecosystem. There's a suite of tools that offer polyglot solutions to issues presented, but address the breadth of the entire developer ecosystem and not the depth of the unique security topics around the npm ecosystem.

In this post, I’ll be focusing on some of the tools, resources, and projects address specific issues around security with Node.js and npm.

Products Built to Improve Security Around npm

As mentioned earlier, there are a ton of products that offer polyglot solutions - address every instance of security in your entire team or organization. There are a few, though, that mainly focus on npm.

Node Security Project, or nsp is a project that discovers and shares security vulnerabilities in npm modules as advisories. They do a pretty good job and provide a bunch of integrations - GitHub CI/CD, VS Code, and several others.

Like NSP, Snyk is a project that actively searches for and responsibly discloses npm vulnerabilities. They’re extremely active, and surface vulnerabilities both big and small consistently. You can also pipe them into GitHub CI/CD, get alerts in Issues, and integrate into a bunch of deployment targets.

Certified Modules is a bit of a different beast than what Snyk or NSP offers - instead of passively scanning apps and package.json files, it’s an independent npm registry that you can set up with an npm config command, and then pull your modules directly from a unique registry. The security features with Certified Modules stem from a certification process that runs against every version of every module, checking it and its dependencies for security vulnerabilities, OSS licenses, and several other package quality statistics.

npm and Node.js Security Resources

vscode-nsp is a pretty simple extension for Visual Studio Code that will check package.json and npm-shrinkwrap.json file against the nsp advisories and let you know if there are advisories that apply to the modules you’re using.

nscm is a CLI tool for Certified Modules that adds some pretty powerful functionality on top of the Certified Modules platform. One of my favorite features is the SVG dependency graph that will build out an SVG chart using Graphviz and help visualize any module or application’s dependencies and their scores from the certification process.

The Node.js Security WG is a more general place to find and participate in discussions around npm, Node.js, and ecosystem security. The WG seems to be picking up some more steam as of late, so be sure to head over and jump in if you’re interested in participating. Additionally, the node-sec mailing list is a helpful tool to be alerted about Node.js security vulnerabilities as they are made public, including about modules that are maintained by the Org and bundled into the core project.

If you’re deploying web apps, Helmet is a great tool to apply security policies easily and quickly to your app - this can be helpful if and when a module that interacts with the client has a vulnerability in one of the twelve areas it covers apps.

npm and Node.js Security Blogs

There are a few blogs that you can follow to keep you up to date on security in the world of npm and Node.js. Personally, I’ve added them all to a Slack channel as a kind of Node.js security and content feed - all have pretty good content, and are always worth a read.

The official npm blog always has updates about security and registry updates. They’re good about keeping the community up to date on what’s happening and what action they’re taking. You can also follow the #security tag to exclusively see security updates.

On the NodeSource blog (you’re already reading it) we try to make sure to keep everyone that’s interested in either Node.js security or npm security in the loop when events like the one this week happen.

The Snyk blog has a bunch of good content around Node.js, JavaScript, and npm blog posts about security and the ecosystem. Recently they’ve been expanding out to more topics in other programming languages, but they’re still producing quality content around the JS ecosystem.

Of course, you can’t leave out the official Node.js Blog. All releases, security updates, and notices around Node.js are posted there - again, this will include modules maintained by the Node.js Org if issues arise.

Just one more thing...

If you’ve got any questions about security applied to Node.js, npm, and the overall ecosystem, feel free to reach out to the team on Twitter at @NodeSource - we’re always interested in helping the Node.js ecosystem become more secure and reliable.

If you’d like some hands-on guidance around Node.js and npm security to ensure your applications and services remain secure, you should take a look at our training and arch evals - we'll be able to help make your Node.js apps rock-solid, and enable you and your team to maintain that over the long-term.