October 3, 2022

TheCyberThrone

Thinking Security ! Always

JFrog NPM Trio Tool

A trio of tools released by JFrog, to prevent malicious packages from slipping into their applications will be helpful for java developers . The tool package consists of  npm-secure-install, package-checker, and npm_issues_statistic designed to address some of the security issues persist while using the open-source software’s to validate if package versions can be trusted, secure installed, and monitor applications for potentially troublesome components.

NPM and has become a cornerstone of JavaScript application development which provides millions of open-source java scripts. But  the convenience of using open-source packages comes with some security trade-offs. Recent security incidents involving vulnerabilities in open-source software have raised concerns about who should take responsibility for controlling and securing the code of these packages and how. This incident prompted the development of JFrog tool

Advertisements

Developers often blindly trust NPM packages, while in many cases development tools pull code from them and integrate it into applications without the developer being aware. Those applications will thus inherit any vulnerabilities the packages contain.

Package-json.lock, a specification file that forces JavaScript applications to use a specific version of an NPM dependency, is highly recommended both for stability and security purposes. However, under certain circumstances this functionality can be circumvented and cause applications to run a malicious version of the package.

Npm-secure-install, is a package installer that enforces secure practices, such as preventing global installation of packages unless they contain npm-shrinkwrap.json, a specification that ensures everyone gets the same version of all dependencies.

Npm_issues_statistics monitors applications for problematic packages before they are reported to have breaking changes in updated versions.

JFrog is considering integrating these and similar capabilities into its CLI tool to ensure the secure management of NPM repositories.

%d bloggers like this: