NPM Package Security

Pereira, Carly

Student Work

NPM Package Security

Público

Package managers are tools used to find, install, maintain, and uninstall software packages. Anyone can publish packages to package managers, allowing developers to install and use their code. While this is a revolutionary innovation for programmers, it is also the perfect platform to enable threat actors to execute attacks. However, malicious code is not the only threat that comes from downloading packages. It is also possible that uploaded packages do not employ secure coding techniques and therefore contain security vulnerabilities. If a developer were to download and use an unknowingly vulnerable package in their project, this would make their project vulnerable to attacks. Currently there are no tools available to determine the likelihood that a package may contain an unknown vulnerability before downloading it. Therefore, the goal of this project was to determine whether there are any package or repository metrics that reliably correlate with the security of packages. We explored this idea specifically with packages from Node Package Manager (NPM), an online repository for publishing open-source Node.js projects. The metrics of NPM packages that we explored are number of monthly downloads, number of dependents, number of open issues, number of closed issues, and each of these were compared to the number of known vulnerabilities. The data for this project was sourced from package libraries, the NPM website, GitHub's website, and the Snyk known vulnerability database. This data was then analyzed, and the metrics were found to have a very weak correlation to known vulnerabilities. Future work and testing is necessary to determine whether these metrics do correlate to security for certain.

This report represents the work of one or more WPI undergraduate students submitted to the faculty as evidence of completion of a degree requirement. WPI routinely publishes these reports on its website without editorial or peer review.

Creator