JFrog Helps Clean up Bad npm JavaScript with 3 New Tools – InApps Technology is an article under the topic Software Development Many of you are most interested in today !! Today, let’s InApps.net learn JFrog Helps Clean up Bad npm JavaScript with 3 New Tools – InApps Technology in today’s post !

Read more about JFrog Helps Clean up Bad npm JavaScript with 3 New Tools – InApps Technology at Wikipedia

You can find content about JFrog Helps Clean up Bad npm JavaScript with 3 New Tools – InApps Technology from the Wikipedia website

When Microsoft acquired JavaScript Node package manager (npm) company npm, with its over 1.3 million packages and 75 billion downloads, I’d hoped that some of npm’s notoriously unstable releases would finally be fixed. I hoped in vain. For instance, the recent npm libraries ‘colors.js’ and ‘faker.js’ mess showed that we haven’t improved much from 2016’s infamous, ‘left-pad npm’ episode. In all three cases, tens of thousands of npm programs went up in smoke.

So it is a good thing that JFrog, a company that uses DevOps principles to secure the software supply chain, has released three new open source programs to detect and block the installation of malicious npm packages.

Securing the Supply Chain

These are a direct response to the colors and faker fiasco. In that one, their maintainer deliberately corrupted the packages. JFrog, along with many others, is getting concerned about open source software supply chain security.

In the npm ecosystem, new code is all too often pulled from a repository, used in a project, and put into production without ever being checked for problems. Indeed, far too many times, the developer may not even be aware that one of the components has been changed, never mind corrupted. We can no longer afford blind trust in open source code from public repositories.

Read More:   Real Paths Toward Agile Documentation – InApps 2022

This happens because, as JFrog’s senior director of advanced technologies and security research — who joined the company last year when JFrog acquired Vdoo, Ilya Khivrich wrote:

The common method for enforcing the use of specific versions of the npm dependencies in a project is using package-lock.json file, which specifies the allowed versions of the libraries. We highly recommend using package-lock.json and specifying exact dependency versions whenever possible. It is a little known fact, however, that the current npm installer — when installing a package globally (npm run with -g or — global) — does not honor the package-lock.json file and will happily download the latest available version of any package dependency, according to the dependencies specified in the package.json file. This is why users found their applications were using hijacked versions of the colors package, even though they were certain they were “protected” by package-lock.json.

This needs to be patched and it needs to be patched now. But that’s a problem for npm and its developers, not JFrog.

The Fix

To help deal with this fundamental software supply security issue in the meantime, JFrog has made three new open source npm security tools available on GitHub. These programs are:

  • package_checker: a tool providing an indication of whether a specific version of a given package can be trusted. The tool looks for tell-tale signs of packages used in supply-chain attacks and can be used to identify potential risks with newly released versions. Among the checked conditions are 1.) A significant gap in version numbers (i.e., jumping from 5.5.3 to 6.6.6, like in the case of the faker npm package) 2.) new updates to unmaintained package; a discrepancy between the versions appearing in npm and its linked GitHub repository; and how recently the version was posted, since a very new version has not been vetted yet, and may contain malicious code.
  • npm-secure-installer: a secure wrapper for npm install, which will refuse to globally install packages that do not contain an npm-shrinkwrap lock file.
  • package_issues_history: an experimental tool aiming to monitor for problematic package updates, in order to find them even before it is discovered that a certain package version introduced a breaking change.
Read More:   Why High-Performing DevOps Teams Thrive on Observability  – InApps Technology 2022

With these tools, Khivrich added, you’ll be better able to “maintain good cyber hygiene by validating the security and robustness of each new software package version prior to use, at this time specifically for the npm package repository.”

This won’t solve the problem with bad npm files, but it’s a big step forward.

InApps Technology is a wholly owned subsidiary of Insight Partners, an investor in the following companies mentioned in this article: JFrog.

Source: InApps.net

Rate this post
As a Senior Tech Enthusiast, I bring a decade of experience to the realm of tech writing, blending deep industry knowledge with a passion for storytelling. With expertise in software development to emerging tech trends like AI and IoT—my articles not only inform but also inspire. My journey in tech writing has been marked by a commitment to accuracy, clarity, and engaging storytelling, making me a trusted voice in the tech community.

Let’s create the next big thing together!

Coming together is a beginning. Keeping together is progress. Working together is success.

Let’s talk

Get a custom Proposal

Please fill in your information and your need to get a suitable solution.

    You need to enter your email to download


      Success. Downloading...