The Evil Side of the npm Ecosystem

Are you going to be the next victim?

Disclaimer: I use npm myself, the point of this post is not to discredit npm, it is to help people understand that packages within the npm ecosystem should not be installed without doing research on them.

What to Look For

Here are key things to look for before installing a package:

  • Unpacked Size — If you are looking at a very simple package with a massive unpacked size, it generally means that the code is not as optimized as it could be and may not be worth uploading into your project.
  • Last Updated — The date that the package was last updated should be fairly recent. If the package has not been updated for six months, it could mean that it is no longer being maintained and will likely have vulnerabilities and bugs that won’t ever get resolved.
  • GitHub Activity — The issues, the code, and how active the maintainers are will give you an insight into the validity of the package.

Learn More

Here are key tools to use for updating and checking packages:

  • npm-audit — A tool maintained by npm themselves that will scan all your packages for vulnerabilities and display a detailed audit report. Adding the -fix argument to that command will try to automatically fix vulnerabilities.
  • npm-check-updatesA tool, also known as NCU, that allows you to see which packages need to be updated and update all your packages at once.
  • Version Lens (VS Code Extension)A tool that will visually show in package.json if your package is on the latest version or if there is an update available.

Explore Packages

Software Engineer

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store