Released a trio of tools to protect JavaScript apps from malicious NPM packages


Security tools inspired by a recent case where a package maintainer became a scammer

JavaScript developers will be better equipped to prevent malicious packages from slipping into their applications with a trio of tools released by JFrog, the software company claims.

The tools – npm-secure-install, package-checker, and npm_issues_statistic – are designed to address some of the trickiest security issues associated with using open source software packages.

Among other things, they validate whether package versions can be trusted, secure installations, and monitor applications for potentially troublesome components.

Security compromise

Providing millions of open source JavaScript packages, NPM has become the cornerstone of JavaScript application development.

However, the convenience of using open source packages comes with some security trade-offs. Recent security incidents involving vulnerabilities in open source software have raised concerns about who should take responsibility for controlling and securing the code in these packages and how.

Development of the new JFrog NPM security tools was prompted by a recent incident in which a developer intentionally modified two NPM packages and rendered them useless, disrupting applications that depended on them.

RELATED Open Source Security Foundation Launches Initiative to Stem Tide of Software Supply Chain Attacks

“This incident has simply brought attention to the broader discussion taking place in the industry around software supply chain security in the modern world of software development,” said Ilya Khivrich, senior director of advanced technologies at JFrog Security Research. The daily sip.

Developers often blindly trust NPM packages, while in many cases developer tools extract code from them and embed it into applications without the developer’s knowledge. These applications will therefore inherit all the vulnerabilities contained in the packages.

Package-json.lock, a spec file that forces JavaScript applications to use a specific version of an NPM dependency, is highly recommended for both stability and security reasons. However, in some circumstances this feature can be bypassed and cause applications to run a malicious version of the package.


JFrog’s new suite of security tools is intended to secure the supply chain with respect to NPM dependencies. Package-checker checks if a specific version of an NPM package can be trusted. It looks for signs of packages used in supply chain attacks and can identify potential risks with recently released versions.

Npm-secure-install, on the other hand, is a package installer that enforces secure practices, such as disallowing global installation of packages unless they contain npm-shrinkwrap.json, a specification that ensures everyone gets the same version of all dependencies.

Learn about the latest DevSecOps news

And npm_issues_statistics monitors apps for problematic packages before they are flagged as having breaking changes in updated builds.

“Of the three tools, two can be used directly in the development lifecycle,” Khivrich said. “npm-secure-install can be directly used by developers as a replacement for npm-install, and package_checker can be used manually or automatically when the developer decides to override the dependency version in use.”

Npm_issues_statistics can also be used when upgrading dependencies, “but then only manually and not as part of an automated process,” Khivrich added.

JFrog plans to integrate these and similar features into its CLI tool to provide secure management of NPM repositories.

“Whether or not the tools are maintained as part of the JFrog CLI or in a standalone form, we plan to further improve the tools and expand the set of intuitive shortcuts that aid problem solving and probability judgments. “, Khivrich said.

YOU MIGHT ALSO LIKE SnapFuzz: New fuzzing tool speeds up network application testing


Comments are closed.