JFrog believes that a trio of tools introduced by the software company would better equip JavaScript writers to prevent harmful packages from getting into their apps. The tools npm-secure-install, package-checker, and npm_issues_statistic are intended to solve some of the most challenging security issues associated with employing open software packages. They verify that package versions may be trusted, secure installs, and monitor applications for potentially harmful components, among other things.
NPM has become a cornerstone of JavaScript application development, providing millions of open-source JavaScript packages. However, the simplicity of adopting open-source programs comes at a cost in terms of security. Recent security issues involving open-source software vulnerabilities have generated questions about who should be in charge of regulating and safeguarding the code of these packages and how.
The new JFrog NPM security tools were inspired by a recent event in which a developer made malicious changes to two NPM packages, rendering them worthless and causing havoc with the apps that relied on them. “This incident simply drew attention to the larger discussion taking place in the industry around software supply chain security in the modern software development world,” Ilya Khivrich, senior director of advanced technologies at JFrog Security Research, said.
Developers frequently put their faith in NPM packages, even though development tools often grab code from them and incorporate it into apps without the developer’s knowledge. As a result, any vulnerabilities found in the packages will be passed down to those apps. For both stability and security, package-json.lock, a specification file that requires JavaScript apps to employ a particular version of an NPM dependency, is strongly recommended. However, this functionality may be bypassed in some cases, resulting in programs running a malicious version of the package.
JFrog’s new security solutions protect the supply chain from NPM dependencies. Package-checker determines if a particular version of an NPM package is trustworthy. It searches for indicators of packages used in supply-chain hacks and can spot new ones that pose a danger.
Meanwhile, npm-secure-install is a package installer that enforces security practices, including denying global package installation unless it has npm-shrinkwrap.json. This specification assures everyone receives the same version of all dependencies. And npm_issues_statistics keeps track of problematic packages before they’re flagged as having broken changes in newer versions.
To enable the secure administration of NPM repositories, JFrog is contemplating adding these and related features into its CLI tool.