SoylentNews

jas writes:

NPM[*], to put it lightly, had a challenging year. A series of high-profile incidents resulted in headaches for system administrators, as a combination of third parties abusing the NPM platform as well as bad deployments from the NPM team themselves causing adverse effects.

In an interview with TechRepublic, NPM director of security Adam Baldwin indicated that NPM, Inc. is working on solutions to improve security. "Users of Javascript in the enterprise share responsibility with NPM. We have a dedicated security team and are building products in 2019 to focus on these efforts," Baldwin said. The product hinted at is tooling being built into NPM, "starting with Enterprise, to help understand what is being run on systems." These changes are tentatively planned to be unveiled in the first half of 2019.

These plans include identifying known vulnerabilities and advanced reporting and visualization of dependency trees, in order to gain a better understanding of what is being used in deployment. In an earlier email with TechRepublic, NPM's Jonathan Cowperthwait noted that the team could improve security by "surfacing information about maintainer transfers," and "driving use of two-factor authentication."

https://www.techrepublic.com/article/heres-how-npm-plans-to-improve-security-and-reliability-in-2019/

[*] https://en.wikipedia.org/wiki/Npm_(software):

npm is a package manager for the JavaScript programming language. It is the default package manager for the JavaScript runtime environment Node.js. It consists of a command line client, also called npm, and an online database of public and paid-for private packages, called the npm registry. The registry is accessed via the client, and the available packages can be browsed and searched via the npm website. The package manager and the registry are managed by npm, Inc.

Original Submission