Reputation: 2154
Verify if an NPM package is official
I am developing an app that needs to use Binance API. I found an NPM package https://www.npmjs.com/package/@binance/connector
But I am not sure if it is an official one or created by someone else. What are the criteria to identify a good npm package by good I mean not containing any malicious code.
Upvotes: 0
Views: 441
Answers (1)
Reputation: 43561
The NPM package links to a GitHub repo. The GitHub repo readme links back to the NPM package. So far so good.
The GitHub repo is published under the binance organization, which has the verified tag with comment:
We've verified that the organization binance controls the domain: www.binance.com
So assuming that we can trust the GitHub verification process, this particular NPM package is legit and really comes from Binance.
General rules of thumb to roughly identify a level of trustworthiness of an NPM package:
- Published by a verified organization.
- Downloads amount. A package with 1k weekly downloads is more likely to be legit, compared to a package with 1-2 downloads a week.
- Size of a community around this package. Look for the number of contributors and, official website, support forum with active users. These are the signs that the package is probably all right.
- If the package is business critical for your case, always do your own due diligence and look through the code.
Upvotes: 1
Related Questions
- How does npm verify packages and how to verify npm/node installation packages between machines?
- How to easily verify correct npm dependencies installed?
- use npm package to validate a package name
- Is there a way to assure the integrity of a published npm packages, using hashes/checksums?
- How to know if a package from Node Package Management (NPM) is tested
- Node.js / npm - anyway to tell if a package is pure JS or not?
- How to check if a particular npm package is working?
- Check if package is available?
- Checking if the app is using the proper version of node.js
- Package manager NPM and node.js Integrity