Why and How to Run NPM Security Scans

As the default package manager for Node.js, one of the most popular JavaScript runtimes, NPM is a widely used tool for creating and distributing JavaScript software. NPM makes it easy for developers to share and reuse JavaScript code via repositories, which in turn speeds the development process and simplifies the distribution of JavaScript software.

From the perspective of end-users (who, in the case of Node.js apps, are likely to be system administrators installing Node.js software on the servers they manage), NPM enables a simple process for downloading and installing JavaScript applications.

NPM package vulnerabilities

However, NPM’s ability to simplify JavaScript software distribution doesn’t guarantee security. A variety of security risks can exist within NPM packages, such as insecure application code that enables attackers to take control of an application and its host operating system, or dependencies on other NPM packages or libraries that are known to be insecure.

NPM itself doesn’t automatically check for vulnerabilities like these or prevent developers and users from uploading and downloading insecure packages. As a result, if left undetected, vulnerabilities in NPM packages can spread quickly within communities that use Node.js software. Developers may end up importing vulnerable NPM packages into the software they write, which places them at risk of distributing insecure software to their users. For their part, end-users who don’t check NPM packages for risks may inadvertently install malicious packages on their computers.

Risks like these have created major security vulnerabilities for NPM packages, such as a severe remote code execution flaw in an NPM package that is downloaded 12 million times per month.

Using security scans to manage NPM security

The primary method of defense against risks like these is NPM security scanning. NPM security scanners recursively parse through all layers of an NPM package, including dependencies (meaning other packages that an NPM package requires in order to run an application).

By identifying the contents of each layer of an NPM package and its dependencies, then checking whether the contents contain known security vulnerabilities, NPM security scanning helps protect both developers and end-users from malware, insecure application code and other threats that may exist within NPM packages.

Tools for NPM security scanning

There are two main ways to perform NPM security scanning.

The first is to use NPM’s native auditing tool, called npm-audit. Npm-audit is an open source command-line utility that generates a report of known vulnerabilities within a given NPM package. In certain cases, npm-audit can attempt to fix a vulnerability by replacing a vulnerable package with an updated, patched alternative. The command-line tool “npm” can also list CVE advisories associated with a package.

You can download and run npm-audit directly on your computer, or you can access it through platforms like JFrog Artifactory, which features native support for npm-audit.

The second method for performing NPM security scanning is to use a commercial scanning tool, such as JFrog Xray. Unlike npm-audit, which is designed only for providing one-off security reports on individual packages that users scan manually from the command line  (although it could be integrated into a script to run rep), Xray can continuously scan packages within Artifactory repositories. This ensures that whenever a new package is uploaded, or an existing package is changed, it will be automatically checked for security vulnerabilities.

In addition, Xray supports integration with CI/CD pipelines to perform continuous scanning (via IDE plugins) as developers write Node.js code. It also provides impact analysis, which helps developers and users understand how widespread a detected vulnerability is within their NPM packages.