Reputation: 51
NPM (node package manager) security and voting
Anyone can publish their Node.js package to open Node Package Manager (npm) pool. Is there any security checks for published packages so that I can be sure that a new package won't contain any harmful code?
Also it's interesting to know if there is any voting system for node packages so that I can pick out the most voted package from a bunch of similar node packages?
Upvotes: 0
Views: 219
Answers (2)
Reputation: 1297
You can also use https://nodesecurity.io/ to add security checks into your GitHub pull request flow.
If you perform a search on npmjs.com before pulling a module into your system the index of all packages on npmjs.com takes into account maintenance, quality, etc."
npm search is also a good option for npm package voting.
The npms analyzer continuously analyzes the npm ecosystem, gathering as much information as possible from a variety of sources, including GitHub, David and nsp. Using the collected information, a final score for each package is calculated based on four different aspects: Quality, Maintenance, Popularity, and Personalities
Upvotes: 0
Reputation: 101
The Node Security Platform is a tool designed to help developers do just that! You can test your project dependencies for known vulnerabilities in a variety of ways - from the command line, integrated with your CI system, or integrated with github.
The vulnerabilities are discovered via two sources:
- A team of seasoned node.js security professionals actively auditing modules on npm.
- Submissions from community members, which are verified by the aforementioned team.
It's also free to use the command line tool, as well as integration with open source github repositories.
If you are using npm enterprise, nsp is also partnered with npm to provide sidebar integration. This allows you to see vulnerability information right from the npme web ui, which sounds like what you are looking for.
As far as module popularity goes, there is a website that does this to some degree at nodejsmodules.org. I use it from time to time, but beware - they've got a very expired HTTPS cert.
Disclosure: I am an employee of ^Lift Security, the company behind the Node Security Platform.
Upvotes: 1
Related Questions
- How to install a previous exact version of a NPM package?
- What is the difference between Bower and npm?
- Do I commit the package-lock.json file created by npm 5?
- What's the difference between dependencies, devDependencies, and peerDependencies in NPM package.json file?
- How can I update Node.js and npm to their latest versions?
- Upgrade Node.js to the latest version on Mac OS
- npm check and update package if needed
- Find the version of an installed npm package
- Cannot install packages using node package manager in Ubuntu
- How should I ethically approach user password storage for later plaintext retrieval?