Go to content
The Codest
  • About Us
  • Services
  • Our Team
  • Case studies
    • Blog
    • Meetups
    • Webinars
    • Resources
Careers Get in touch
  • About Us
  • Services
  • Our Team
  • Case studies
    • Blog
    • Meetups
    • Webinars
    • Resources
Careers Get in touch
2019-03-26
Software Development

Security in Javascript packages

Daniel Grek

Security in Javascript packages - Image

Every single day the amount of Javascript packages is growing. It is the result of a community’s activity, which, on one hand, demands new solutions, on the other - generates them as a form of self-development or realization. Such large growth opens new doors and possibilities, but also brings danger, which every developer has to be aware of.

In late November 2018, the GitHub community reported of a serious vulnerability in event-stream - package that helps working with node events more efficiently. It was fairly popular, as amount of downloads in that specific period was reaching over 2.2 mln per week (in comparison to React with 3,7 mlns). Event-stream, as well as its dependencies, were dependent on another library - flatmap-steam, that happened to have been updated with a crypto-pocket malware. It allowed stealing private keys and other details from the users’ accounts on machines where the package was bundled.

Eventually, flatmap-stream was removed from NPM, which created temporal problems with many other libraries. In May, the same year, the community found a backdoor within the getcookie package, which was part of many other dependencies as well. Such examples can be multiplied, which demonstrates that it is important to pay attention to dependencies installed into a project, not only from the Javascript perspective, but also in a general context.

Rely on official solutions and large communities

As far as possible it is important to rely on official solutions in your project. They are not just less vulnerable because of a better development process. A large community, which usually comes with a better brand, helps identify problems much faster and, what is more important - find good solutions.

Use NPM trends

Security JavaScript

Fig. 1 Webpack NPM trend.

Chart

Fig. 2. Event-stream NPM trend.

Sometimes, knowledge of a current state of the package may not represent their past. A quick look at the npm trends chart can show you an actual package trending. It will show not only large peaks, where some vulnerability could be found, but the general condition of a given package (NOTE: large peaks on google trends near 24 - 30 December represents holiday season, which may not necessarily represent a problem). As an example, take a look at figure 1 - a representing trend of Webpack download per week. You will see stable growth without any breaking points, which may suggest that Webpack is a stable and secure package to use. On the other hand, on figure 2 you will find a large drop in November, which is a clear signal that something wrong could have happened in that period (which we already know is true).

Dependency audit

The best and most reliable way to verify the state of your dependencies is to perform an audit. This command is now available natively both for yarn and npm, although it requires their latest versions. It sends a list of current dependencies into a proper endpoint and returns information containing their current vulnerabilities and other details of usage, including reference to documentation. (figure3).

Interesting datas

Fig. 3. Example of npm audit command result. Source: https://docs.npmjs.com

Managing dependencies in Javascript is not an easy task.  A number of solutions are growing every day, therefore remember to choose your dependencies wisely and carefully. Keep on auditing your current project and update your packages regularly.

To learn more about javascript dependencies and how to resolve some of their problems, please check this article.

Source:

  1. https://github.com/dominictarr/event-stream/issues/116
  2. https://blog.npmjs.org/post/180565383195/details-about-the-event-stream-incident
  3. https://blog.npmjs.org/post/173526807575/reported-malicious-module-getcookies
  4. https://docs.npmjs.com/auditing-package-dependencies-for-security-vulnerabilities
  5. https://docs.npmjs.com/cli/audit
  6. https://yarnpkg.com/lang/en/docs/cli/audit/

Related articles

Software Development

3 Useful HTML Tags You Might Not Know Even Existed

Nowadays, accessibility (A11y) is crucial on all stages of building custom software products. Starting from the UX/UI design part, it trespasses into advanced levels of building features in code. It provides tons of benefits for...

Jacek Ludzik
Software Development

5 examples of Ruby’s best usage

Have you ever wondered what we can do with Ruby? Well, the sky is probably the limit, but we are happy to talk about some more or less known cases where we can use this powerful language. Let me give you some examples.

Pawel Muszynski
Software Development

Maintaining a Project in PHP: 5 Mistakes to Avoid

More than one article has been written about the mistakes made during the process of running a project, but rarely does one look at the project requirements and manage the risks given the technology chosen.

Sebastian Luczak
Software Development

5 reasons why you will find qualified Ruby developers in Poland

Real Ruby professionals are rare birds on the market. Ruby is not the most popular technology, so companies often struggle with the problem of finding developers who have both high-level skills and deep experience; oh, and by the...

Jakub
Software Development

9 Mistakes to Avoid While Programming in Java

What mistakes should be avoided while programming in Java? In the following piece we answers this question.

Rafal Sawicki
Software Development

A quick dive into Ruby 2.6. What is new?

Released quite recently, Ruby 2.6 brings a bunch of conveniences that may be worth taking a glimpse of.  What is new? Let’s give it a shot!

Patrycja Slabosz

Subscribe to our knowledge base and stay up to date on the expertise from industry.

About us

We are an agile software development company dedicated to empowering our clients' digital transformation projects and ensuring successful IT project delivery.

    United Kingdom - Headquarters

  • Office 303B, 182-184 High Street North E6 2JA London, England

    Poland - Local Tech Hubs

  • Business Link High5ive, Pawia 9, 31-154 Kraków, Poland
  • Brain Embassy, Konstruktorska 11, 02-673 Warsaw, Poland
  • Aleja Grunwaldzka 472B, 80-309 Gdańsk, Poland

    The Codest

  • Home
  • About us
  • Services
  • Case studies
  • Know how
  • Careers

    Services

  • PHP development
  • Java development
  • Python development
  • Ruby on Rails development
  • React Developers
  • Vue Developers
  • TypeScript Developers
  • DevOps
  • QA Engineers

    Resources

  • What are top CTOs and CIOs Challenges? [2022 updated]
  • Facts and Myths about Cooperating with External Software Development Partner
  • From the USA to Europe: Why do American startups decide to relocate to Europe
  • Privacy policy
  • Website terms of use

Copyright © 2022 by The Codest. All rights reserved.

We use cookies on the site for marketing, analytical and statistical purposes. By continuing to use, without changing your privacy settings, our site, you consent to the storage of cookies in your browser. You can always change the cookie settings in your browser. You can find more information in our Privacy Policy.