In late November 2018, the GitHub community reported of a serious vulnerability in event-stream – package that helps working with node events more efficiently. It was fairly popular, as amount of downloads in that specific period was reaching over 2.2 mln per week (in comparison to React with 3,7 mlns). Event-stream, as well as its dependencies, were dependent on another library – flatmap-steam, that happened to have been updated with a crypto-pocket malware. It allowed stealing private keys and other details from the users’ accounts on machines where the package was bundled.
Rely on official solutions and large communities
As far as possible it is important to rely on official solutions in your project. They are not just less vulnerable because of a better development process. A large community, which usually comes with a better brand, helps identify problems much faster and, what is more important – find good solutions.
Use NPM trends
Fig. 1 Webpack NPM trend.
Fig. 2. Event-stream NPM trend.
Sometimes, knowledge of a current state of the package may not represent their past. A quick look at the npm trends chart can show you an actual package trending. It will show not only large peaks, where some vulnerability could be found, but the general condition of a given package (NOTE: large peaks on google trends near 24 – 30 December represents holiday season, which may not necessarily represent a problem). As an example, take a look at figure 1 – a representing trend of Webpack download per week. You will see stable growth without any breaking points, which may suggest that Webpack is a stable and secure package to use. On the other hand, on figure 2 you will find a large drop in November, which is a clear signal that something wrong could have happened in that period (which we already know is true).
The best and most reliable way to verify the state of your dependencies is to perform an audit. This command is now available natively both for yarn and npm, although it requires their latest versions. It sends a list of current dependencies into a proper endpoint and returns information containing their current vulnerabilities and other details of usage, including reference to documentation. (figure3).
Fig. 3. Example of npm audit command result. Source: https://docs.npmjs.com