- Home
- >
- Software Development
- >
- JFrog Helps Clean up Bad npm JavaScript with 3 New Tools – InApps Technology 2025
JFrog Helps Clean up Bad npm JavaScript with 3 New Tools – InApps Technology is an article under the topic Software Development Many of you are most interested in today !! Today, let’s InApps.net learn JFrog Helps Clean up Bad npm JavaScript with 3 New Tools – InApps Technology in today’s post !
Key Summary
This article discusses the persistent issue of unstable and malicious npm packages within the JavaScript ecosystem and introduces three new open-source tools by JFrog to enhance npm security. Triggered by incidents like the deliberate corruption of colors.js and faker.js, these tools address vulnerabilities in the software supply chain. Key points include:
- npm Security Challenges:
- Context: Microsoft’s acquisition of npm (with 1.3 million packages and 75 billion downloads) did not resolve ongoing issues, exemplified by the 2016 left-pad incident and recent colors.js/faker.js corruptions, which disrupted thousands of programs.
- Problem: Developers often pull new code from public repositories without verification, unaware of changes or malicious updates. The npm installer ignores package-lock.json for global installations (npm install -g), downloading the latest (potentially hijacked) package versions.
- Impact: Lack of validation leads to supply chain attacks, compromising applications that rely on unvetted dependencies.
- JFrog’s Response:
- Motivation: JFrog, a DevOps-focused company (acquired Vdoo in 2021), developed tools to secure the npm ecosystem, responding to supply chain vulnerabilities highlighted by recent incidents.
- Three Open-Source Tools (available on GitHub):
- package_checker:
- Evaluates the trustworthiness of a package version.
- Checks for signs of supply chain attacks, including:
- Significant version number jumps (e.g., 5.5.3 to 6.6.6, as in faker.js).
- Updates to unmaintained packages.
- Discrepancies between npm and linked GitHub repository versions.
- Recent releases, which may lack vetting and contain malicious code.
- npm-secure-installer:
- A wrapper for npm install that blocks global installations without an npm-shrinkwrap lock file, ensuring only verified versions are used.
- package_issues_history:
- An experimental tool to monitor package updates for breaking changes, identifying issues before they are widely reported.
- package_checker:
- Purpose: Enhance “cyber hygiene” by validating package security and robustness before use, specifically for npm repositories.
- Limitations and Future Needs:
- These tools mitigate but do not fully resolve npm’s security issues, particularly the installer’s failure to honor package-lock.json for global installations, which requires a patch from npm developers.
- Encourages developers to use package-lock.json and specify exact dependency versions to avoid unintended updates.
- InApps Insight:
- JFrog’s tools address critical gaps in npm’s security, promoting safer JavaScript development by preventing malicious package installations.
- InApps Technology can integrate these tools into DevOps pipelines, enhancing client software supply chain security and ensuring robust, reliable JavaScript-based applications.
Read more about JFrog Helps Clean up Bad npm JavaScript with 3 New Tools – InApps Technology at Wikipedia
You can find content about JFrog Helps Clean up Bad npm JavaScript with 3 New Tools – InApps Technology from the Wikipedia website
When Microsoft acquired JavaScript Node package manager (npm) company npm, with its over 1.3 million packages and 75 billion downloads, I’d hoped that some of npm’s notoriously unstable releases would finally be fixed. I hoped in vain. For instance, the recent npm libraries ‘colors.js’ and ‘faker.js’ mess showed that we haven’t improved much from 2016’s infamous, ‘left-pad npm’ episode. In all three cases, tens of thousands of npm programs went up in smoke.
So it is a good thing that JFrog, a company that uses DevOps principles to secure the software supply chain, has released three new open source programs to detect and block the installation of malicious npm packages.
Securing the Supply Chain
These are a direct response to the colors and faker fiasco. In that one, their maintainer deliberately corrupted the packages. JFrog, along with many others, is getting concerned about open source software supply chain security.
In the npm ecosystem, new code is all too often pulled from a repository, used in a project, and put into production without ever being checked for problems. Indeed, far too many times, the developer may not even be aware that one of the components has been changed, never mind corrupted. We can no longer afford blind trust in open source code from public repositories.
This happens because, as JFrog’s senior director of advanced technologies and security research — who joined the company last year when JFrog acquired Vdoo, Ilya Khivrich wrote:
The common method for enforcing the use of specific versions of the npm dependencies in a project is using package-lock.json file, which specifies the allowed versions of the libraries. We highly recommend using package-lock.json and specifying exact dependency versions whenever possible. It is a little known fact, however, that the current npm installer — when installing a package globally (npm run with -g or — global) — does not honor the package-lock.json file and will happily download the latest available version of any package dependency, according to the dependencies specified in the package.json file. This is why users found their applications were using hijacked versions of the colors package, even though they were certain they were “protected” by package-lock.json.
This needs to be patched and it needs to be patched now. But that’s a problem for npm and its developers, not JFrog.
The Fix
To help deal with this fundamental software supply security issue in the meantime, JFrog has made three new open source npm security tools available on GitHub. These programs are:
- package_checker: a tool providing an indication of whether a specific version of a given package can be trusted. The tool looks for tell-tale signs of packages used in supply-chain attacks and can be used to identify potential risks with newly released versions. Among the checked conditions are 1.) A significant gap in version numbers (i.e., jumping from 5.5.3 to 6.6.6, like in the case of the faker npm package) 2.) new updates to unmaintained package; a discrepancy between the versions appearing in npm and its linked GitHub repository; and how recently the version was posted, since a very new version has not been vetted yet, and may contain malicious code.
- npm-secure-installer: a secure wrapper for npm install, which will refuse to globally install packages that do not contain an npm-shrinkwrap lock file.
- package_issues_history: an experimental tool aiming to monitor for problematic package updates, in order to find them even before it is discovered that a certain package version introduced a breaking change.
With these tools, Khivrich added, you’ll be better able to “maintain good cyber hygiene by validating the security and robustness of each new software package version prior to use, at this time specifically for the npm package repository.”
This won’t solve the problem with bad npm files, but it’s a big step forward.
InApps Technology is a wholly owned subsidiary of Insight Partners, an investor in the following companies mentioned in this article: JFrog.
Source: InApps.net
Let’s create the next big thing together!
Coming together is a beginning. Keeping together is progress. Working together is success.