Overview
Explore a comprehensive analysis of security threats in the npm ecosystem through this 21-minute conference talk from USENIX Security '19. Delve into the potential risks associated with the open nature of npm, including the impact of single packages on millions of computers and the influence of individual maintainers. Examine the systematic study of package dependencies, maintainer responsibilities, and publicly reported security issues. Discover key findings on the potential for running vulnerable or malicious code due to third-party dependencies, and learn about the increasing problem of maintainer account vulnerabilities. Investigate the challenges of accidentally using vulnerable code due to lack of maintenance, even years after vulnerabilities become public. Consider proposed mitigation techniques, such as trusted maintainers and total first-party security, and evaluate their potential effectiveness in addressing npm's single points of failure and the threat of unmaintained packages to large code bases.
Syllabus
Intro
JavaScript and npm
eslint Incident
Key Findings
Particularities of npm
Empirical Study
Experimental Setup
Evolution of Package Reach
Evolution of Maintainer Influence
Evolution of Security Advisories
Potential Mitigations
Code Vetting as Mitigation
Conclusions
Evolution of Dependencies
Taught by
USENIX