In modern software development, business owners and stakeholders often expect development to be fast-paced while at the same time avoiding major bugs, security issues and technical debt.
This is when it becomes a bit tricky when it comes to web development - you simply cannot be efficient and avoid serious security issues, bugs, flaws etc. unless you have the necessary tools to help you with management of dependencies, versions, security and licenses for your open source components.
After reading this post you will have a better understanding of:
- What the public npm registry is and how it is used by developers
- Pitfalls with dependencies, open source licenses, availability of packages and security vulnerabilities and what typosquatting is
- How Bytesafe can help you avoid the pitfalls and therefore reduce your risks
What is npm and why use it?
Today basically every developer uses
npm and reuse code due to the upside it brings with substantial increase in the speed of developing new projects.
npm does provide some security features, but for the most part the security responsibility and control over what open source packages are used lies with individual developers.
Here are some npm stats (March 2020):
- 75 billion downloads per month
- Approx. 12 million developers use npm
Obviously, with these numbers there will always be those that have the intention to damage to benefit or just “for the fun of it”. Continue reading to better understand some of the pitfalls and what you can do about it. Doing nothing is not an option if you want to manage your risks.
A few pitfalls to be aware of
Below is a visualization of the close to 1600(!) dependencies when setting up a new React app using the instructions on React’s official site 1. Keeping track manually is impossible!
There is often a misunderstanding that open source code is free to use, but most open source packages are under a specific license. Breaching a license is obviously not a good thing and should be avoided at all cost by having your license compliance under control. Worst case scenario you may need to release you own code as open source under the same license as the package dependency you used. Worst case you might end up in a very costly court suit due to open source license litigation. If you have not thought of license compliance related to open source you might want to research how other companies have been impacted and you will quickly understand that this is just as important as regulatory compliance. 2
Package availability and security vulnerabilities
How to avoid the pitfalls
Below is a good starting point to decouple the direct dependency to the public npm registry and how to avoid pitfalls:
Always use an npm proxy. This way you will be able to have local versions available for as long as you like and avoid the risk of packages being unpublished. Also you can use private registries available only for teams within your organization and make sure that developers can share the exact same versions.
Flexible private registries. Make sure that your private registry is able to include or exclude for example only packages of a certain license or packages from specific companies or maintainers (those maintaining external packages). Also make sure that you are always able to override and patch packages that you are dependent on. In case there is a known vulnerability you might not have the time to wait for a fix by the maintainer in the public registry. There is a risk that the version you are using might never be patched.
Security scanning & filtering. If there are known security issues you want to make sure that you private registries scans for these. If any developer tries to install a version containing vulnerability, then you should have the possibility to technically block that code from even getting into your private registries. You should also be alerted in case any security issues are detected in the future. In short, your code supply chain should be secure and smart adding value to your organization.
Using Bytesafe as a solution
Bytesafe acts as an npm proxy with support for multiple private registries and multiple upstreams. This offers your organization a unique flexibility and control over how you work with packages in private registries, which fits agile organizations very well.
Before this summer we plan to extend the policies & plugins to extend Bytesafe with features related security and better notifications.
Want to give Bytesafe a try? Go ahead and Sign up for Bytesafe.
Feel free to reach out to me if you’re interested and want to get in contact or our Support team if you have any questions or feedback!
For more details on to secure your code supply chain and avoid risks, see these posts:
- Avoiding Dependency Confusion
- Npm security best practices
- Npm Security Issues to keep an eye on in 2021
- Typosquatting- the devil is in the details
- Introducing Security Scanning
- Introducing Policies & Plugins
Create a new React app
Open Source Licenses are enforceable contracts