A trio of tools released by JFrog, to prevent malicious packages from slipping into their applications will be helpful for java developers . The tool package consists of npm-secure-install, package-checker, and npm_issues_statistic designed to address some of the security issues persist while using the open-source software’s to validate if package versions can be trusted, secure installed, and monitor applications for potentially troublesome components.
Developers often blindly trust NPM packages, while in many cases development tools pull code from them and integrate it into applications without the developer being aware. Those applications will thus inherit any vulnerabilities the packages contain.
Npm-secure-install, is a package installer that enforces secure practices, such as preventing global installation of packages unless they contain npm-shrinkwrap.json, a specification that ensures everyone gets the same version of all dependencies.
Npm_issues_statistics monitors applications for problematic packages before they are reported to have breaking changes in updated versions.
JFrog is considering integrating these and similar capabilities into its CLI tool to ensure the secure management of NPM repositories.