Stories
Slash Boxes
Comments

SoylentNews is people

posted by martyb on Monday December 17 2018, @09:39PM   Printer-friendly
from the Taking-a-closer-look dept.

NPM[*], to put it lightly, had a challenging year. A series of high-profile incidents resulted in headaches for system administrators, as a combination of third parties abusing the NPM platform as well as bad deployments from the NPM team themselves causing adverse effects.

In an interview with TechRepublic, NPM director of security Adam Baldwin indicated that NPM, Inc. is working on solutions to improve security. "Users of Javascript in the enterprise share responsibility with NPM. We have a dedicated security team and are building products in 2019 to focus on these efforts," Baldwin said. The product hinted at is tooling being built into NPM, "starting with Enterprise, to help understand what is being run on systems." These changes are tentatively planned to be unveiled in the first half of 2019.

These plans include identifying known vulnerabilities and advanced reporting and visualization of dependency trees, in order to gain a better understanding of what is being used in deployment. In an earlier email with TechRepublic, NPM's Jonathan Cowperthwait noted that the team could improve security by "surfacing information about maintainer transfers," and "driving use of two-factor authentication."

https://www.techrepublic.com/article/heres-how-npm-plans-to-improve-security-and-reliability-in-2019/

[*] https://en.wikipedia.org/wiki/Npm_(software):

npm is a package manager for the JavaScript programming language. It is the default package manager for the JavaScript runtime environment Node.js. It consists of a command line client, also called npm, and an online database of public and paid-for private packages, called the npm registry. The registry is accessed via the client, and the available packages can be browsed and searched via the npm website. The package manager and the registry are managed by npm, Inc.


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 1) by AlwaysNever on Monday December 17 2018, @10:52PM

    by AlwaysNever (5817) on Monday December 17 2018, @10:52PM (#775607)

    I like the vitriol in the comments here. Nice. No javascript allowed, fuck off!