我们如何信任 npm 模块？

Question

I'm using many Node.js modules through npm package manager. Since these modules are not developed by trusted organisations, are they trustworthy?

I don't know whether the npm team is doing any security checks for each module submitted by developers.

Answer 1

NPM is not doing any checks whatsoever. They are just a registry. The whole thing is built on the trust in the dev community and sharing.

Most node modules are open source and you can review their code in their repository (usually Github). So that's the best way to 'trust' them. Some node modules give you prebuilt native binaries, so that might be riskier in a way, but if it is popular (like ws for example) then I see no issue. You can also check the NPM publisher user, which sometimes is a known company like Oracle.

Answer 2

The idea is to find the most popular npm modules. You can do this by checking the stars on each project.

Some tips:

Use npm to manage dependencies in your dev environment, but not in your deployment scripts.

Tools like npm are development tools. They're a convenient way to download and update modules. They're not deployment tools, have never been deployment tools, and should not be used for deployment!

Use npm shrinkwrap in the development repository and check in the result. This will lock your module versions in place, including sub-dependencies

More details here

Answer 3

There are a few programs, available from npm, that can run against your package.json and check for known vulnerabilities. Not perfect, but a great start. The one I have used is called nsp but there are others.

Answer 4

Update - June 2019

In npm@6 security check is included. You could run npm audit to recursively analyze your dependency trees to identify specifically what's insecure

2016 version

You could use the nsp tool provided by Node Security Platform , which helps to audit all the modules from your package.json

npm install nsp --global
nsp check

More info is here: https://nodesecurity.io/opensource

Answer 5

Yes ! Almost all node modules are open source so you can actually view code snippets running behind module. this might help you to build your trust on package you are willing to use in your application

Answer 6

It is not much secure because these modules are not developed by any organizations like what php/apache have, However it is good technology and you can also use nsp modules to check the security issues in you node modles.

More info

Answer 7

Actually I don't use to much packages:

1) express
2) body & cookie-parser (sometimes I'm lazy to write middleware),
3) mongoose,
4) pug,
5) request,
6) async,
7) lodash,
8) string

all other stuff I write myself and put in "components" folder.

let's say most of people so lazy that do:

  const md5 = require('md5');
  let data = 'something';
  data = md5(data);

but I do it with crypto (it's by default included in all nodejs versions):

  const crypto = require('crypto');
  let data = 'something';
  data = crypto
           .createHash('md5')
           .update(data.toString())
           .digest('hex');

I keep logic to not to use package:

1) if package is small (I always read package files if it's unknown for me package)
2) version is not above 1.0.0 (no warranty that will go further)
3) no recent iterations (commits) in repository

btw nsp check of my applications says: (+) No known vulnerabilities found (:

Answer 8

I've made node-safe , which allows you to use the native macOS sandbox when using node , npm and yarn :

# Allow reading files, but only in the current folder
node --enable-sandbox --allow-read="./**" myscript.js

# Run npm with sandbox (can only write to `./node_modules` by default)
npm --enable-sandbox install got 

When using the sandboxed package managers rogue dependencies are not able to compromise your system anymore through postinstall scripts and other means.

Answer 9

If you are installing a package that you do not trust, you can avoid this vulnerability by running

npm install --ignore-scripts

for more details check here

Here is an awesome blog which can give you clear picture blog