A recent study by Snyk on the state of open-source security has yielded alarming results: for NPM packages, 86% of security vulnerabilities reside in secondary dependencies over which you often have little control.
What are secondary addictions?
When you install something from NPM, you not only install a package, you also install that package, along with its required dependencies. You can display this dependency tree for your own projects with npm ls –depth = 10. Even a basic project with two installed packages actually contains four levels of dependencies totaling 10 actual packages:
The problem is therefore obvious. You extract code from many more packages than your package.json suggests. And, each of these packages is a potential security bug.
According to Snyk’s report, this is exactly what happens in open source environments like NPM and Ruby Gems. The problem is widespread and most of the bugs come from indirect packages that you did not install manually.
The good side: this problem is not as serious as it seems. NPM has a built-in audit tool that will capture most of the bad guys and ask you to update. Due to the prevalence of auditing, these security bugs gain more attention and are fixed when they occur, with updates released quickly to affected users.
The majority of bugs detected by Snyk were potential XSS attacks, and although it is not large, their impact in the real world is quite small. The main impacting bugs were a few dozen prototype of pollution attacks—Potential execution of arbitrary code – as well as some malicious or pirated packages designed specifically to try to sneak into unsuspecting packages.json.
The problem is also improving, or at least attracting more attention. The number of bugs reported in NPM has decreased by 20% from last year, and the same trend applies to other package manager ecosystems.
The main point to remember from all this: you have to think about where your code comes from. With the rise of FOSS software, it’s easy to get dragged into dependency hell with code that you hadn’t planned to add.
The solution: audit
There are bound to be bugs in random pieces of open-source code, and while you can’t really fix some of the little ones without developing everything in-house, you can detect some particularly nasty ones with regular audits.
However, the problem is not particularly new and npm has an integrated tool for this npm audit. You have probably already seen it, because it runs automatically at each installation:
NPM’s built-in audit primarily checks for package updates that fix certain bugs, so there is always an upgrade you can do (but potentially break) that can fix the problem. There are however other security scanners, as Snyk themselves, which manages a GitHub project verification service and manages a publicly accessible database known bugs that you can check for.