The new JFrog NPM security tools were inspired by a recent event in which a developer made malicious changes to two NPM packages, rendering them worthless and causing havoc with the apps that relied on them. “This incident simply drew attention to the larger discussion taking place in the industry around software supply chain security in the modern software development world,” Ilya Khivrich, senior director of advanced technologies at JFrog Security Research, said.
JFrog’s new security solutions protect the supply chain from NPM dependencies. Package-checker determines if a particular version of an NPM package is trustworthy. It searches for indicators of packages used in supply-chain hacks and can spot new ones that pose a danger.
Meanwhile, npm-secure-install is a package installer that enforces security practices, including denying global package installation unless it has npm-shrinkwrap.json. This specification assures everyone receives the same version of all dependencies. And npm_issues_statistics keeps track of problematic packages before they’re flagged as having broken changes in newer versions.
To enable the secure administration of NPM repositories, JFrog is contemplating adding these and related features into its CLI tool.