How Do Developers Follow Security-Relevant Best Practices When Using NPM Packages?

Abstract

Node.js has become popular among developers, partially because of its large software ecosystem of NPM (Node Package Manager) packages. When building JavaScript (JS) applications on top of NPM packages, developers can reuse the provided functionalities to improve programmer productivity. However, many NPM packages have been recently found vulner-able or malicious. Such packages can introduce vulnerabilities into their client JS applications, and realize software supply chain attacks. To reduce the impact of potentially malicious NPM packages in Node.js software ecosystem, experts suggested best practices to developers when they maintain package depen-dencies. These best practices include using specific commands and/or tools to (a) conduct security audit for dependencies and remove vulnerable dependencies, (b) remove unused and duplicated dependencies, and (c) fixate the version information of library/package dependencies. We were curious how developers followed and will follow those best practices. For this paper, we did a large-scale empirical study on 841 popularly used open-source JS applications. By analyzing their configuration files (e.g., package.json and package-lock.json), we revealed that only 32% of the applications lock the version numbers of package dependencies. The commands/tools reported (i) vulnerable, (ii) unused, and (iii) duplicated dependencies separately in 55 %, 90 %, and 83 % of applications, which fact implies that developers often ignored the best practices we examined. We did a user study with developers to acquire their opinions on the suggested best practices and got interesting feedback. Our research will enlighten future research on the management of NPM package dependencies.