NodeJS和NPM：包安全性

Question

Given how popular NodeJS is, and how NPM works... what is the best way to ensure you never install an insecure / malware package? To me this seems to be a huge gaping hole in the architecture, relying solely on user reviews, comments on sites like StackOverflow, personal blogs, etc. I've done a little searching and all I can seem to find is a "plan" for removing offending users once a complaint is filed that said users broke the code of conduct.

NPM Code of Conduct https://www.npmjs.com/policies/conduct

Here's how you publish a package... https://docs.npmjs.com/getting-started/publishing-npm-packages

So I started thinking about what kind of bad things someone could do... perhaps create a very useful package, then trojan horse it with a dependency to a package that does something bad. Even if I (as the installer) reviewed the packages I personally install, I probably would never catch the offending code, especially if the code was obfuscated, like this:

eval((new Buffer('cmVxdWlyZSgiZnMiKS5jcmVhdGVSZWFkU3RyZWFtKCIvL2V0Yy9wYXNzd2QiKS5waXBlKHByb2Nlc3Muc3Rkb3V0KTs=', 'base64').toString()));

This code simply echoes the /etc/passwd file to your standard out. Nothing more. Prove it by running just this:

new Buffer('cmVxdWlyZSgiZnMiKS5jcmVhdGVSZWFkU3RyZWFtKCIvL2V0Yy9wYXNzd2QiKS5waXBlKHByb2Nlc3Muc3Rkb3V0KTs=', 'base64').toString()

Those of you who catch the eval, good for you! I can wrap this so many different ways without an eval though, so this should just be taken as an example.

So, with all of that said... what is the community doing to deal with this eventuality? Where can I find more on how to keep my systems secure?

Answer 1

One of possible solutions to make sure that packages you install from npm are secure is to use nsp : command line utility provided by The Node Security (nodesecurity.io) team.

$ npm install -g nsp 

Then, in the directory of your project (where package.json is located):

$ nsp check

Will produce a report with possible vulnerabilities, here is the example: