JS package manager npm adds new security features for web devs

A vulnerability reporting system has also been launched

UPDATED An update from npm, Inc. aims to improve security for web developers by stopping major vulnerabilities at the start of the workflow process.

The added security features are being rolled out for npm Enterprise – the commercial edition of the popular open source JavaScript package manager.

Package filtering is one of the new components, which will ensure that malicious code stays out of the development pipeline, npm said in an announcement yesterday.

“JavaScript is the most prevalent platform used in development today, and most enterprises depend on it heavily,” said CEO Bryan Bogensberger.

“But most of the tools those development teams use are woefully inadequate in terms of security, compliance, and quality of developer experience.

“Our flagship npm Enterprise product closes that gap, and gives them the professional-grade tools they deserve.”

The Daily Swig reached out to npm to learn more about how the new security audit will work in filtering malicious code and packages.

Company CTO Ahmad Nassri said: “When applied, security policies controlled by an Enterprise Administrator will automatically filter out any packages that don’t meet security requirements, causing the npm install command to fail with a custom message to enterprise developers for all projects within the business.

“This provides a centralized control domain for Enterprise Security teams to improve their developer experience and control any risk to their business.

“The workflow for developers is the same workflow they know and love from using the npm cli [command line interface], following existing patterns across all install and audit commands.

“Enterprise customers that enable this functionality will not see any change to their developer workflow, and will result in an increased security awareness amongst their software development teams.”

The company also plans to add single sign-on enhancements in order to protect user credentials from malicious actors.

Vulnerability reporting

News of the security update was coupled with the launch of a new vulnerability reporting system for npm Enterprise – an antivirus scanner, effectively, that will report any bugs found in a registry.

Earlier this year, a similar tool was launched at the Black Hat Asia security conference that proposed a heuristic-based analysis of the npm ecosystem.

The tool, npm-scan, was developed to plug the gap that was said to have been left open by security scanners like npm-audit or snyk.

“We’re actually adding these heuristics and adding these scans to look into the actual code and find potentially malicious lines or problems,” Eugene Lim, one of the creators of npm-scan, told The Daily Swig back in March.

“We want people to scan the packages and write the reports themselves.”

Lim welcomed the news of an npm vulnerability reporting platform, but he still believes a more thorough security audit is needed.

“Interesting that they are targeting vulnerabilities, in general, rather than malicious packages,” Lim told The Daily Swig.

“It helps net a larger number of bugs and vulnerabilities, although in my opinion there are certain behaviors associated with malicious packages that would benefit from a specialized focus.”

This article has been updated to include additional comment from npm.